Get this error when trying to restart ipa service on apparently not working replica. This iscat /etc/redhat-releaseCentOS Linux release 7.3.1611 (Core)andipa-server-4.4.0-14.el7.centos.7.x86_64 and389-ds-base-1.3.5.10-20.el7_3.x86_64
ausearch -m avc -ts today<no matches> slapd log shows the following [22/Sep/2017:20:17:09.347682405 +0000] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.[22/Sep/2017:20:17:09.349071947 +0000] SSL alert: Security Initialization: Enabling default cipher set.[22/Sep/2017:20:17:09.349375124 +0000] SSL alert: Configured NSS Ciphers[22/Sep/2017:20:17:09.349563797 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.349777578 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.350058874 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.350253063 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.350444460 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.350701172 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.350893090 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.351072545 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.351309052 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.351583340 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.351769757 +0000] SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.351974981 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled[22/Sep/2017:20:17:09.352164262 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.352340685 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.352542263 +0000] SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.352733543 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled[22/Sep/2017:20:17:09.352918881 +0000] SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.353101704 +0000] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.353281802 +0000] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled[22/Sep/2017:20:17:09.353466924 +0000] SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.353685045 +0000] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.353892808 +0000] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled[22/Sep/2017:20:17:09.354107226 +0000] SSL alert: TLS_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.354318986 +0000] SSL alert: TLS_CHACHA20_POLY1305_SHA256: enabled[22/Sep/2017:20:17:09.354531161 +0000] SSL alert: TLS_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.354740409 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled[22/Sep/2017:20:17:09.354935016 +0000] SSL alert: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled[22/Sep/2017:20:17:09.355128927 +0000] SSL alert: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled[22/Sep/2017:20:17:09.362744793 +0000] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2[22/Sep/2017:20:17:09.363153851 +0000] 389-Directory/1.3.5.10 B2017.102.203 starting up[22/Sep/2017:20:17:09.374289379 +0000] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match[22/Sep/2017:20:17:09.381853474 +0000] WARNING: changelog: entry cache size 2097152 B is less than db size 90570752 B; We recommend to increase the entry cache size nsslapd-cachememsize.[22/Sep/2017:20:17:09.382628247 +0000] Detected Disorderly Shutdown last time Directory Server was running, recovering database.[22/Sep/2017:20:17:09.440619592 +0000] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup![22/Sep/2017:20:17:09.541575136 +0000] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist[22/Sep/2017:20:17:09.548822508 +0000] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=company,dc=domain)[22/Sep/2017:20:17:09.549220205 +0000] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped[22/Sep/2017:20:17:09.566729598 +0000] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds![22/Sep/2017:20:17:09.575270590 +0000] slapd started. Listening on All Interfaces port 389 for LDAP requests[22/Sep/2017:20:17:09.575561870 +0000] Listening on All Interfaces port 636 for LDAPS requests[22/Sep/2017:20:17:09.575772412 +0000] Listening on /var/run/slapd-company-domain.socket for LDAPI requests[22/Sep/2017:20:17:09.855493846 +0000] slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1[22/Sep/2017:20:17:09.856267729 +0000] slapd shutting down - waiting for 27 threads to terminate[22/Sep/2017:20:17:09.856664101 +0000] slapd shutting down - closing down domain subsystems and plugins[22/Sep/2017:20:17:14.572232152 +0000] Waiting for 4 database threads to stop[22/Sep/2017:20:17:15.430730850 +0000] All database threads now stopped[22/Sep/2017:20:17:15.448323210 +0000] slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects[22/Sep/2017:20:17:15.580988368 +0000] slapd stopped. I found a mention of this bug https://bugzilla.redhat.com/show_bug.cgi?id=996716
but it seems to be for older version of dirsrv then what we have installed.
any idea as to why im getting these errors?
pgb 205 via FreeIPA-users wrote:
any idea as to why im getting these errors?
Because the configured hostname doesn't match any configured known master?
ipactl looks in cn=masters,cn=ipa,cn=etc,$SUFFIX for the list of known masters. It uses that to determine what services are configured for a specific master to know what to start. Your hostname is not in that list for some reason.
rob
freeipa-users@lists.fedorahosted.org