RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 692469 - Replica install fails after step for "enable GSSAPI for replication"
Summary: Replica install fails after step for "enable GSSAPI for replication"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact:
URL:
Whiteboard:
Depends On: 692937
Blocks: 694571 702988
TreeView+ depends on / blocked
 
Reported: 2011-03-31 12:22 UTC by Namita Soman
Modified: 2011-09-16 21:33 UTC (History)
5 users (show)

Fixed In Version: ds-replication-1.2.8-0.10.rc5.el6
Doc Type: Bug Fix
Doc Text:
when installing a replica (using the ipa-replica-install command), GSSAPI errors similar to the following might be returned: [07/Apr/2011:10:46:23 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [07/Apr/2011:10:46:23 -0400] NSMMReplicationPlugin - agmt="cn=meToipaqa64vmb.testrelm" (ipaqa64vmb:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) These messages can be safely ignored.
Clone Of:
: 692937 694571 (view as bug list)
Environment:
Last Closed: 2011-05-19 14:41:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Replica Install Log (373.63 KB, text/plain)
2011-03-31 12:24 UTC, Namita Soman 		no flags Details
tail of /var/log/dirsrv/slapd-TESTRELM/errors (2.71 KB, text/plain)
2011-03-31 17:42 UTC, Namita Soman 		no flags Details
/var/log/dirsrv/slapd-TESTRELM/errors from slave machine (15.57 KB, application/text)
2011-04-06 12:51 UTC, Namita Soman 		no flags Details
new install log when using ds-replication-1.2.8-0.10.rc5.el6 (2.64 MB, text/plain)
2011-04-06 14:30 UTC, Namita Soman 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:0820 0 normal SHIPPED_LIVE new package: ds-replication 2011-05-19 14:41:19 UTC

Description Namita Soman 2011-03-31 12:22:34 UTC 
Description of problem:
Replica install indicates an error and doesn't complete successfully
Run a install for replica, and it throws error - 
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
creation of replica failed: {'desc': 'Operations error'}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-17.el6.x86_64
ds-replication-1.2.8-0.7.rc2.el6.x86_64


How reproducible:
Always

Steps to Reproduce:
1.install replica using command:
ipa-replica-install --setup-dns  --no-forwarder -p Secret123 replica-info-rhel61-server2.testrelm.gpg -d

Actual results:
Install fails

Expected results:
Replica should be installed

Additional info:
Comment 1 Namita Soman 2011-03-31 12:24:16 UTC 
Created attachment 489057 [details]
Replica Install Log
Comment 2 Rob Crittenden 2011-03-31 12:40:23 UTC 
Can you see if there are any logged errors in /var/log/dirsrv/slapd-TESTRELM/errors?
Comment 4 Namita Soman 2011-03-31 17:42:12 UTC 
Created attachment 489183 [details]
tail of /var/log/dirsrv/slapd-TESTRELM/errors
Comment 5 Rob Crittenden 2011-03-31 18:33:54 UTC 
It is failing trying to convert the replication agreement to use SASL/GSSAPI.

We ran into a similar problem when Simo first implemented this but the 389-ds
team made a change to allow this. Will follow up with them.
Comment 6 Rob Crittenden 2011-03-31 21:34:36 UTC 
According to Rich this looks like this bug was introduced in rc2 with cc578f1 Bug 668909 - Can't modify replication agreement in some cases.
Comment 7 Rich Megginson 2011-04-01 19:26:51 UTC 
To ssh://git.engineering.redhat.com/srv/git/users/rmeggins/ds.git
   cc42a22..8a1e5ea  RHEL-6 -> RHEL-6
commit 8a1e5ea17ca9696e3cabca3fc14a066fab361309
Author: Rich Megginson <rmeggins>
Date:   Fri Apr 1 12:44:23 2011 -0600
Comment 9 Namita Soman 2011-04-06 12:51:33 UTC 
Created attachment 490264 [details]
/var/log/dirsrv/slapd-TESTRELM/errors from slave machine
Comment 10 Namita Soman 2011-04-06 12:51:49 UTC 
Tested using ds-replication-1.2.8.0-1.el6.x86_64
But the replica install hung.

when ipareplica-install.log goes through this step -
2011-04-06 08:13:32,846 DEBUG   [7/9]: enable GSSAPI for replication
didn't see any errors in this log...

 but /var/log/dirsrv/slapd-TESTRELM/errors, at that time has - 
[06/Apr/2011:08:15:30 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/qe-blade-05.testrelm@TESTRELM] in keytab [WRFILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[06/Apr/2011:08:15:30 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))
[06/Apr/2011:08:15:30 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[06/Apr/2011:08:15:30 -0400] - Waiting for 4 database threads to stop
[06/Apr/2011:08:15:31 -0400] - All database threads now stopped

and /var/log/messages also has-
Apr  6 08:13:39 qe-blade-05 ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)
Comment 11 Rich Megginson 2011-04-06 14:02:55 UTC 
(In reply to comment #10)
> Tested using ds-replication-1.2.8.0-1.el6.x86_64
> But the replica install hung.
> 
> when ipareplica-install.log goes through this step -
> 2011-04-06 08:13:32,846 DEBUG   [7/9]: enable GSSAPI for replication
> didn't see any errors in this log...
> 
>  but /var/log/dirsrv/slapd-TESTRELM/errors, at that time has - 
> [06/Apr/2011:08:15:30 -0400] set_krb5_creds - Could not get initial credentials
> for principal [ldap/qe-blade-05.testrelm@TESTRELM] in keytab
> [WRFILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested
> realm)
> [06/Apr/2011:08:15:30 -0400] slapd_ldap_sasl_interactive_bind - Error: could
> not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
> may provide more information (Credentials cache file '/tmp/krb5cc_496' not
> found))
> [06/Apr/2011:08:15:30 -0400] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [06/Apr/2011:08:15:30 -0400] - Waiting for 4 database threads to stop
> [06/Apr/2011:08:15:31 -0400] - All database threads now stopped
> 
> and /var/log/messages also has-
> Apr  6 08:13:39 qe-blade-05 ns-slapd: GSSAPI Error: Unspecified GSS failure. 
> Minor code may provide more information (Credentials cache file
> '/tmp/krb5cc_496' not found)

This is not the same error.  This looks like a different bug.  It looks as though the KDC is not available at this time.
Comment 12 Namita Soman 2011-04-06 14:30:23 UTC 
Created attachment 490308 [details]
new install log when using ds-replication-1.2.8-0.10.rc5.el6
Comment 13 Namita Soman 2011-04-06 15:41:07 UTC 
The issue originally reported when opening this bug has been addressed. So marking this "verified".

Opening new bug (bug 694156) to follow up on the next error thrown when installing replica.
Comment 14 Jenny Severance 2011-04-07 16:46:14 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
During Replica installation, you may see GSSAPI errors.  You can ignore these errors.

<example>
[07/Apr/2011:10:46:23 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[07/Apr/2011:10:46:23 -0400] NSMMReplicationPlugin - agmt="cn=meToipaqa64vmb.testrelm" (ipaqa64vmb:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))
</example>
Comment 15 Rich Megginson 2011-04-07 16:58:30 UTC 
Can you really ignore these errors?  Note that MMR using SASL/GSSAPI will not work until you restart the server, then these errors will be gone.
Comment 16 Rob Crittenden 2011-04-08 13:41:35 UTC 
This installer restarts 389-ds at the end of installation so it should be fine.
Comment 18 Ryan Lerch 2011-05-10 03:48:21 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,6 +1,6 @@
-During Replica installation, you may see GSSAPI errors.  You can ignore these errors.
+when installing a replica (using the ipa-replica-install command), GSSAPI errors similar to the following might be returned:
 
-<example>
 [07/Apr/2011:10:46:23 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
 [07/Apr/2011:10:46:23 -0400] NSMMReplicationPlugin - agmt="cn=meToipaqa64vmb.testrelm" (ipaqa64vmb:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))
-</example>+
+These messages can be safely ignored.
Comment 19 errata-xmlrpc 2011-05-19 14:41:28 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0820.html
Comment 20 Chandrasekar Kannan 2011-09-16 21:33:24 UTC 
ds-replication is no longer a component of rhel. folding back to 389-ds-base.
Note You need to log in before you can comment on or make changes to this bug.