Bug 692469

Summary: Replica install fails after step for "enable GSSAPI for replication"
Product: Red Hat Enterprise Linux 6 Reporter: Namita Soman <nsoman>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.1CC: dpal, jgalipea, mgregg, rcritten, yzhang
Target Milestone: rcKeywords: screened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ds-replication-1.2.8-0.10.rc5.el6 Doc Type: Bug Fix
Doc Text:
when installing a replica (using the ipa-replica-install command), GSSAPI errors similar to the following might be returned: [07/Apr/2011:10:46:23 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [07/Apr/2011:10:46:23 -0400] NSMMReplicationPlugin - agmt="cn=meToipaqa64vmb.testrelm" (ipaqa64vmb:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) These messages can be safely ignored.
 Story Points: ---
Clone Of:
: 692937 694571 (view as bug list) Environment:
Last Closed: 2011-05-19 14:41:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 692937    
Bug Blocks: 694571, 702988    
Attachments:
Description Flags
Replica Install Log
none
tail of /var/log/dirsrv/slapd-TESTRELM/errors
none
/var/log/dirsrv/slapd-TESTRELM/errors from slave machine
none
new install log when using ds-replication-1.2.8-0.10.rc5.el6 none

Description Namita Soman 2011-03-31 12:22:34 UTC 
Description of problem:
Replica install indicates an error and doesn't complete successfully
Run a install for replica, and it throws error - 
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
creation of replica failed: {'desc': 'Operations error'}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-17.el6.x86_64
ds-replication-1.2.8-0.7.rc2.el6.x86_64


How reproducible:
Always

Steps to Reproduce:
1.install replica using command:
ipa-replica-install --setup-dns  --no-forwarder -p Secret123 replica-info-rhel61-server2.testrelm.gpg -d

Actual results:
Install fails

Expected results:
Replica should be installed

Additional info:
Comment 1 Namita Soman 2011-03-31 12:24:16 UTC 
Created attachment 489057 [details]
Replica Install Log
Comment 2 Rob Crittenden 2011-03-31 12:40:23 UTC 
Can you see if there are any logged errors in /var/log/dirsrv/slapd-TESTRELM/errors?
Comment 4 Namita Soman 2011-03-31 17:42:12 UTC 
Created attachment 489183 [details]
tail of /var/log/dirsrv/slapd-TESTRELM/errors
Comment 5 Rob Crittenden 2011-03-31 18:33:54 UTC 
It is failing trying to convert the replication agreement to use SASL/GSSAPI.

We ran into a similar problem when Simo first implemented this but the 389-ds
team made a change to allow this. Will follow up with them.
Comment 6 Rob Crittenden 2011-03-31 21:34:36 UTC 
According to Rich this looks like this bug was introduced in rc2 with cc578f1 Bug 668909 - Can't modify replication agreement in some cases.
Comment 7 Rich Megginson 2011-04-01 19:26:51 UTC 
To ssh://git.engineering.redhat.com/srv/git/users/rmeggins/ds.git
   cc42a22..8a1e5ea  RHEL-6 -> RHEL-6
commit 8a1e5ea17ca9696e3cabca3fc14a066fab361309
Author: Rich Megginson <rmeggins>
Date:   Fri Apr 1 12:44:23 2011 -0600
Comment 9 Namita Soman 2011-04-06 12:51:33 UTC 
Created attachment 490264 [details]
/var/log/dirsrv/slapd-TESTRELM/errors from slave machine
Comment 10 Namita Soman 2011-04-06 12:51:49 UTC 
Tested using ds-replication-1.2.8.0-1.el6.x86_64
But the replica install hung.

when ipareplica-install.log goes through this step -
2011-04-06 08:13:32,846 DEBUG   [7/9]: enable GSSAPI for replication
didn't see any errors in this log...

 but /var/log/dirsrv/slapd-TESTRELM/errors, at that time has - 
[06/Apr/2011:08:15:30 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/qe-blade-05.testrelm@TESTRELM] in keytab [WRFILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[06/Apr/2011:08:15:30 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))
[06/Apr/2011:08:15:30 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[06/Apr/2011:08:15:30 -0400] - Waiting for 4 database threads to stop
[06/Apr/2011:08:15:31 -0400] - All database threads now stopped

and /var/log/messages also has-
Apr  6 08:13:39 qe-blade-05 ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)
Comment 11 Rich Megginson 2011-04-06 14:02:55 UTC 
(In reply to comment #10)
> Tested using ds-replication-1.2.8.0-1.el6.x86_64
> But the replica install hung.
> 
> when ipareplica-install.log goes through this step -
> 2011-04-06 08:13:32,846 DEBUG   [7/9]: enable GSSAPI for replication
> didn't see any errors in this log...
> 
>  but /var/log/dirsrv/slapd-TESTRELM/errors, at that time has - 
> [06/Apr/2011:08:15:30 -0400] set_krb5_creds - Could not get initial credentials
> for principal [ldap/qe-blade-05.testrelm@TESTRELM] in keytab
> [WRFILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested
> realm)
> [06/Apr/2011:08:15:30 -0400] slapd_ldap_sasl_interactive_bind - Error: could
> not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
> may provide more information (Credentials cache file '/tmp/krb5cc_496' not
> found))
> [06/Apr/2011:08:15:30 -0400] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [06/Apr/2011:08:15:30 -0400] - Waiting for 4 database threads to stop
> [06/Apr/2011:08:15:31 -0400] - All database threads now stopped
> 
> and /var/log/messages also has-
> Apr  6 08:13:39 qe-blade-05 ns-slapd: GSSAPI Error: Unspecified GSS failure. 
> Minor code may provide more information (Credentials cache file
> '/tmp/krb5cc_496' not found)

This is not the same error.  This looks like a different bug.  It looks as though the KDC is not available at this time.
Comment 12 Namita Soman 2011-04-06 14:30:23 UTC 
Created attachment 490308 [details]
new install log when using ds-replication-1.2.8-0.10.rc5.el6
Comment 13 Namita Soman 2011-04-06 15:41:07 UTC 
The issue originally reported when opening this bug has been addressed. So marking this "verified".

Opening new bug (bug 694156) to follow up on the next error thrown when installing replica.
Comment 14 Jenny Severance 2011-04-07 16:46:14 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
During Replica installation, you may see GSSAPI errors.  You can ignore these errors.

<example>
[07/Apr/2011:10:46:23 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[07/Apr/2011:10:46:23 -0400] NSMMReplicationPlugin - agmt="cn=meToipaqa64vmb.testrelm" (ipaqa64vmb:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))
</example>
Comment 15 Rich Megginson 2011-04-07 16:58:30 UTC 
Can you really ignore these errors?  Note that MMR using SASL/GSSAPI will not work until you restart the server, then these errors will be gone.
Comment 16 Rob Crittenden 2011-04-08 13:41:35 UTC 
This installer restarts 389-ds at the end of installation so it should be fine.
Comment 18 Ryan Lerch 2011-05-10 03:48:21 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,6 +1,6 @@
-During Replica installation, you may see GSSAPI errors.  You can ignore these errors.
+when installing a replica (using the ipa-replica-install command), GSSAPI errors similar to the following might be returned:
 
-<example>
 [07/Apr/2011:10:46:23 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
 [07/Apr/2011:10:46:23 -0400] NSMMReplicationPlugin - agmt="cn=meToipaqa64vmb.testrelm" (ipaqa64vmb:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))
-</example>+
+These messages can be safely ignored.
Comment 19 errata-xmlrpc 2011-05-19 14:41:28 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0820.html
Comment 20 Chandrasekar Kannan 2011-09-16 21:33:24 UTC 
ds-replication is no longer a component of rhel. folding back to 389-ds-base.