Header Shadow Image


ERROR 1290 (HY000): The MySQL server is running with the –skip-grant-tables option so it cannot execute this statement

This is how to fix root password on MySQL Galera clusters if the environment doesn't let you login with your old one:

[root@mysql01 mysql]#
[root@mysql01 mysql]#
systemctl set-environment MYSQLD_OPTS="–wsrep-new-cluster –skip-grant-tables"
[root@mysql01 mysql]#
systemctl start mysqld
[root@mysql01 mysql]#mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end
with ; or \g.
Your MySQL connection id is 20
Server version: 5.7.24-log MySQL Community Server – (GPL), wsrep_25.16

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 
mysql> UPDATE 
mysql.user SET password=password("MYSECRET") WHERE user='root';
ERROR 1054 (42S22): Unknown column 'password' in 'field list'
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MYSECRET');
ERROR 1290 (HY000): The MySQL server is running with the –skip-grant-tables option so it cannot execute this statement
mysql>
mysql>
mysql> update
mysql.user set authentication_string=password('MYSECRET') where user='root';
Query OK, 1 row affected, 1 warning (0.03 sec)
Rows matched: 1  Changed: 1  
Warnings: 1

mysql> show grants;
ERROR 1290 (HY000): The MySQL server is running with the –skip-grant-tables option so it cannot execute this statement
mysql> 
mysql> flush privileges;
Query OK, 0 rows affected (0.03 sec)

mysql>
mysql> show grants;
ERROR 1141 (42000): There is no such grant defined for user 'skip-grants user' on host 'skip-grants host'
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

mysql> show grants;
ERROR 1141 (42000): There is no such grant defined for user 'skip-grants user' on host 'skip-grants host'
mysql> quit
Bye

Test it out and alter the database once more:

 
[root@mysql01 mysql]# mysql -uroot -pMYSECRET -e'show grants'
mysqlPlease use –connect-expired-password option or
: [Warning] Using a password on the command line interface can be insecure.invoke
mysql in interactive mode.
[root@mysql01 mysql]#
mysqluroot -p –e'show grants'
Enter password:
Please use –connect-expired-password option or invoke
mysql in interactive mode.
[root@mysql01 mysql]#
mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end
with ; or \g.
Your MySQL connection id is 712
Server version: 5.7.24-log
 

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show grants;
ERROR 1820 (HY000): You must reset your password using
ALTER USER statement before executing this statement.
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'MYSECRET';
Query OK, 0 rows affected (0.01 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

mysql> quit

Bye

Test the full access:


[root@mysql01 mysql]# cat /usr/bin/mysqld_bootstrap
# Copyright (c) 2016, Codership Oy. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301
USA

#
# A
wsrep-enabled MySQL server daemon needs a special option if it is to start
# as the first node of a Galera cluster.
# With SystemV init, this could be passed as a "bootstrap" (rather than "start") command:
#     sudo service
mysqld bootstrap
#
# With
systemd, such alternative commands are not possible.
# However,
systemd passes a set of environment variables to the service process
# it starts, and this set can be modified.
# Such a modification would be persistent, so it must be undone after use.
#
# If other options are set already, make sure to use them, and to restore them.

OLDVAL=$(systemctl show-environment | grep '^MYSQLD_OPTS=')

if [ -z “$OLDVAL” ]; then
    systemctl set-environment   MYSQLD_OPTS="–wsrep-new-cluster"
    systemctl start             mysqld
    systemctl unset-environment MYSQLD_OPTS
else
   
systemctl set-environment   "$OLDVAL —wsrep-new-cluster"
   
systemctl start             mysqld
   systemctl set-environment   "$OLDVAL"
fi

[root@mysql01 mysql]# systemctl unset-environment MYSQLD_OPTS
[root@mysql01 mysql]# /
usr/bin/mysqld_bootstrap

[root@mysql01 mysql]#mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands endwith ; or \g.
Your MySQL connection id is 29
Server version: 5.7.24-log MySQL Community Server – (GPL), wsrep_25.16

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
 

REF: https://bugs.mysql.com/bug.php?id=79027

Cheers,
TK

Zabbix: active check configuration update from [linsrvj01.nix.mds.xyz:10051] started to fail (cannot connect to [[mickey-mouse01.disney.land]:10051]: [111] Connection refused)

You are here because you are getting:

Zabbix: active check configuration update from [linsrvj01.nix.mds.xyz:10051] started to fail (cannot connect to [[mickey-mouse01.disney.land]:10051]: [111] Connection refused)

likely because of SELinux / Auditd:

/var/log/audit/audit.log
type=AVC msg=audit(1550015414.857:191): avc:  denied  { write } for  pid=2030 comm="rpc.statd" path="/run/rpc.statd.lock" dev="tmpfs" ino=19053 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file

and are probably looking to solve the problem using:

grep AVC /var/log/audit/audit.log* | audit2allow -M systemd-allow;semodule -i systemd-allow.pp

Run the above a number of times until the denied messages stop flowing into the audit.log file.

Rgds,
TK

Nagios: connect to host 192.168.0.101 port 5666: Connection refused

Getting:

Nagios: connect to host 192.168.0.101 port 5666: Connection refused

Resolve it by specifying the correct bind address in the nrge.cfg file:

[root@mbpc-pc nrpe]# grep server_address /etc/nagios/nrpe.cfg
# server_address=127.0.0.1
server_address=0.0.0.0
[root@mbpc-pc nrpe]#

Thx,
TK

Nagios: Error: Could not read object configuration data!

Are you getting the following after installing Nagios?

Nagios:  Error: Could not read object configuration data!

Then check the following:

1) /var/log/nagios, owned by nagios:nagios , both folder and log files.

2) /etc/nagios owned by nagios:nagios , both folder and files within this folder.

3) SELinux: Either disable it or check the /var/log/audit/audit.log for any denied messages.  If you have anything simlar to this:

type=AVC msg=audit(1552361910.706:4892): avc:  denied  { execute_no_trans } for  pid=31322 comm="nagios" path="/usr/sbin/nagios" dev="dm-0" ino=691069 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:nagios_exec_t:s0 tclass=file permissive=0

4) Issue the following command to allow the denied entries (You may need to run these a few times):

# grep AVC /var/log/audit/audit.log* | audit2allow -M systemd-allow; semodule -i systemd-allow.pp

5) Eventually you will be greeted with Daemon running with PID 433 message.  Meaning that you've taken care of the last SELinux blocker.

Rgds,
TK

ERROR 1045 (28000): Access denied for user ‘root’@’mysql03.nix.mds.xyz’ (using password: YES)

If you get this:

[root@mbpc-pc ~]# mysql -h mysql-c01 -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'mysql03.nix.mds.xyz' (using password: YES)
[root@mbpc-pc ~]#

Run this to fix things:

mysql> uninstall plugin validate_password;
Query OK, 0 rows affected (0.02 sec)

mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%.mws.mds.xyz'
    ->     WITH GRANT OPTION;
ERROR 1133 (42000): Can't find any matching row in the user table
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%.mws.mds.xyz' IDENTIFIED BY 'SECRET' WITH GRANT OPTION;
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.02 sec)

mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%.nix.mds.xyz' IDENTIFIED BY 'SECRET' WITH GRANT OPTION;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)

mysql>
mysql> show grants;
+———————————————————————+
| Grants for root@localhost                                           |
+———————————————————————+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION        |
+———————————————————————+
2 rows in set (0.00 sec)

mysql> INSTALL PLUGIN validate_password SONAME 'validate_password.so';
Query OK, 0 rows affected (0.01 sec)

mysql>

Thx,
TK

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

A set of MySQL errors and how to resolve each one:

[root@mysql02 ~]# mysql -h localhost -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 621464
Server version: 5.7.21 MySQL Community Server – (GPL), wsrep_25.14

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> grant all privileges on *.* to 'root'@'%' with grant option;
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> uninstall plugin validate_password;
Query OK, 0 rows affected (0.16 sec)

mysql> grant all privileges on *.* to 'root'@'%' with grant option;
ERROR 1133 (42000): Can't find any matching row in the user table
mysql> CREATE USER 'root'@'%' IDENTIFIED BY 'passpass';
Query OK, 0 rows affected (0.14 sec)

mysql> grant all privileges on *.* to 'root'@'%' with grant option;
Query OK, 0 rows affected (0.27 sec)

mysql> INSTALL PLUGIN validate_password SONAME 'validate_password.so';
Query OK, 0 rows affected (0.08 sec)

mysql> quit
Bye
[root@mysql02 ~]#

Thx,
TK

Cloudera Manager: Exception: It seems that a CA setup has already been created.

If you get this message:

Exception: It seems that a CA setup has already been created.

simply remove the folder:

[root@cm-r01nn01 ~]# rmdir /var/lib/cloudera-scm-server/certmanager

And rerun the correct command as per the Cloudera Installation Pages:

JAVA_HOME=/usr/java/jdk1.8.0_181-cloudera /opt/cloudera/cm-agent/bin/certmanager setup –configure-services

Note that the original error resulted because we were using a newer version of Java and therefore the Cloudera WIKI pages were slightly dated vs the binaries we were using:

JAVA_HOME=/usr/java/jdk1.8.0_141-cloudera /opt/cloudera/cm-agent/bin/certmanager setup --configure-services

This is the reason behind the original error.  Once successful, the output should be as follows:

[root@cm-r01nn01 ~]# JAVA_HOME=/usr/java/jdk1.8.0_181-cloudera /opt/cloudera/cm-agent/bin/certmanager setup –configure-services
INFO:root:Logging to /var/log/cloudera-scm-agent/certmanager.log
[root@cm-r01nn01 ~]# ls -altri /var/lib/cloudera-scm-server/certmanager
total 24
  3317904 drwxrwx—. 3 cloudera-scm cloudera-scm   24 Mar  3 23:44 ..
 71595544 -rw-r–r–. 1 cloudera-scm cloudera-scm   65 Mar  3 23:44 frozen_config.ini
134523303 drwx——. 2 cloudera-scm cloudera-scm 4096 Mar  3 23:44 private
202434209 drwxr-xr-x. 2 cloudera-scm cloudera-scm 4096 Mar  3 23:44 trust-store
 71595545 drwx——. 4 cloudera-scm cloudera-scm   76 Mar  3 23:44 CMCA
  3435858 drwx——. 3 cloudera-scm cloudera-scm   35 Mar  3 23:44 hosts-key-store
 71595550 -rwxr-xr-x. 1 cloudera-scm cloudera-scm  144 Mar  3 23:44 generate_host_cert
 71595543 drwxr-xr-x. 6 cloudera-scm cloudera-scm 4096 Mar  3 23:44 .
 71595311 -rw——-. 1 cloudera-scm cloudera-scm  835 Mar  3 23:44 cm_init.txt
[root@cm-r01nn01 ~]#

 

Thx,
TK

LDAP ldapmodify: additional info: attribute “ipaBaseID” not allowed

When modifying LDAP entries, you may get the following error:

[root@idmipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF
> dn: cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz
> changetype: modify
> replace: ipaBaseID
> ipaBaseID: 155600000
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz"
ldap_modify: Object class violation (65)
        additional info: attribute "ipaBaseID" not allowed

What this means is that you cannot modify this entry without modifying it's dependent entries as well.  How do we find the dependent entries?  By looking at the schema using tools like jxplorer:

jXplorer Directory Listing

From the above, navigating to the ipaIDrange schema object tells us the dependencies:

LDAP Directory Schema

We can see that the objects are listed with a tag of MUST:

MUST
  • cn
  • ipaBaseID
  • ipaIDRangeSize
  • ipaRangeType

We check the other tag listed as well:

MUST
  • ipaBaseRID
  • ipaNTTrustedDomainSID

This tells us the objects we need to include alongside the one value we want to modify. (  NOTE: Since we don't want to modify any of the other values, we are simply copying and pasting the existing values into the same key / value pairs of the DIT.  ):

[root@idmipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF
> dn: cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz
> changetype: modify
> replace: ipaBaseRID
> ipaBaseRID: 155600000
> –

> replace: ipaBaseID
> ipaBaseID: 155600000
> –
> replace: ipaIDRangeSize
> ipaIDRangeSize: 200000
> –
> replace: ipaNTTrustedDomainSID
> ipaNTTrustedDomainSID: S-1-5-21-1803828911-4163023034-2461700517
> –
> replace: ipaRangeType
> ipaRangeType: ipa-ad-trust-posix
> –

> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz"

[root@idmipa03 ~]#
 

And we finally have a successful modification.

Cheers,
TK

LDAP ldapmodify: additional info: single-valued attribute “ipaBaseRID” has multiple values

You may run into the following when trying to modify the FreeIPA ID Ranges:

[root@ipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF
> dn: cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz
> changetype: modify
> add: ipaBaseRID
> ipaBaseRID: 200000000
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz"
ldap_modify: Object class violation (65)
        additional info: single-valued attribute "ipaBaseRID" has multiple values

The real issue is with the line:

> add: ipaBaseRID

What the error means is that you're trying to ADD another attribute ipaBaseRID instead of replacing or updating the value.  This is a violation of DIT rules.  You cannot have more than one ipaBaseRID key and value pair.

The correct syntax is, therefore to use the replace tag: 

[root@idmipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF
> dn: cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz
> changetype: modify
> replace: ipaBaseID
> ipaBaseID: 155600000
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz"
ldap_modify: Object class violation (65)
        additional info: attribute "ipaBaseID" not allowed

NOTE: However due to the nature of the object definitions on our FreeIPA server, this results in another error you see above.  This is solved through the  LDAP ldapmodify: additional info: attribute "ipaBaseID" not allowed page.

Cheers,
TK

 

Free IPA Replication Verification Tool

There is a tool available that does a verification of the replication of each FreeIPA host:

yum install git -y; git clone https://github.com/peterpakos/checkipaconsistency.git

# ./cipa -d mws.mds.xyz -W "SECRET"
+——————–+————+————-+——-+
| FreeIPA servers:   | idmipa03   | idmipa04    | STATE |
+——————–+————+————-+——-+
| Active Users       | 1          | 1           | OK    |
| Stage Users        | 0          | 0           | OK    |
| Preserved Users    | 0          | 0           | OK    |
| Hosts              | 2          | 2           | OK    |
| Services           | 11         | 11          | OK    |
| User Groups        | 10         | 10          | OK    |
| Host Groups        | 1          | 1           | OK    |
| Netgroups          | 0          | 0           | OK    |
| HBAC Rules         | 1          | 1           | OK    |
| SUDO Rules         | 0          | 0           | OK    |
| DNS Zones          | 3          | 3           | OK    |
| Certificates       | 17         | 17          | OK    |
| LDAP Conflicts     | 0          | 0           | OK    |
| Ghost Replicas     | 0          | 0           | OK    |
| Anonymous BIND     | ON         | ON          | OK    |
| Microsoft ADTrust  | True       | False       | FAIL  |
| Replication Status | idmipa04 0 | idmipa03 18 | OK    |
+——————–+————+————-+——-+
#

Cheers,
TK


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License