Header Shadow Image


Archive for February, 2019

LDAP ldapmodify: additional info: attribute “ipaBaseID” not allowed

When modifying LDAP entries, you may get the following error: [root@idmipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF > dn: cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz > changetype: modify > replace: ipaBaseID > ipaBaseID: 155600000 > EOF SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz" ldap_modify: Object class violation (65)         additional info: attribute […]

LDAP ldapmodify: additional info: single-valued attribute “ipaBaseRID” has multiple values

You may run into the following when trying to modify the FreeIPA ID Ranges: [root@ipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF > dn: cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz > changetype: modify > add: ipaBaseRID > ipaBaseRID: 200000000 > EOF SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz" ldap_modify: Object class violation (65)       […]

Free IPA Replication Verification Tool

There is a tool available that does a verification of the replication of each FreeIPA host: yum install git -y; git clone https://github.com/peterpakos/checkipaconsistency.git # ./cipa -d mws.mds.xyz -W "SECRET" +——————–+————+————-+——-+ | FreeIPA servers:   | idmipa03   | idmipa04    | STATE | +——————–+————+————-+——-+ | Active Users       | 1       […]

[sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [994]. / [resolv_discover_srv_done] (0x0040): SRV query failed [11]: Could not contact DNS servers

You receive the following two errors when dealing with apparent group lookups using getent group <USER GROUP> : [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [994].  [resolv_discover_srv_done] (0x0040): SRV query failed [11]: Could not contact DNS servers

Feb 17 00:35:37 idmipa04 ns-slapd: [17/Feb/2019:00:35:37.251117736 -0500] – ERR – agmt=”cn=meToidmipa03.mws.mds.xyz” (idmipa03:389) – clcache_load_buffer – Can’t locate CSN 5c593ee3000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized.

When you get this: Feb 17 00:35:37 idmipa04 ns-slapd: [17/Feb/2019:00:35:37.251117736 -0500] – ERR – agmt="cn=meToidmipa03.mws.mds.xyz" (idmipa03:389) – clcache_load_buffer – Can't locate CSN 5c593ee3000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. Run this on the replica throwing the above error: [root@idmipa04 ~]# ipa-replica-manage re-initialize –from idmipa03.mws.mds.xyz Directory Manager […]

Zabbix: [Z3001] connection to database ‘zabbix’ failed: [2003] Can’t connect to MySQL server on ‘mysql-01.abc.xyz.123’ (13)

Zabbix error: [Z3001] connection to database ‘zabbix’ failed: [2003] Can't connect to MySQL server on 'mysql-01.abc.xyz.123' (13) related to: audit.log:type=AVC msg=audit(1549949080.977:11328): avc:  denied  { name_connect } for  pid=9115 comm="zabbix_server" dest=3306 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket is solved by: # grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow; semodule -i systemd-allow.pp Cheers, TK

Zabbix: cannot start preprocessing service: Cannot bind socket to “/var/run/zabbix/zabbix_server_preprocessing.sock”: [98] Address already in use.

Zabbix error:  10272:20190212:003104.073 cannot start preprocessing service: Cannot bind socket to "/var/run/zabbix/zabbix_server_preprocessing.sock": [98] Address already in use.  10239:20190212:003104.078 One child process died (PID:10272,exitcode/signal:1). Exiting … related to: # cat ../audit/audit.log|grep -Ei denied|tail type=AVC msg=audit(1549949530.062:12551): avc:  denied  { unlink } for  pid=10521 comm="zabbix_server" name="zabbix_server_preprocessing.sock" dev="tmpfs" ino=3998803 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file is solved by: # grep AVC /var/log/audit/audit.log* […]

Zabbix: cannot set resource limit: [13] Permission denied

Zabbix error:  10587:20190212:003514.676 using configuration file: /etc/zabbix/zabbix_server.conf  10587:20190212:003514.676 cannot set resource limit: [13] Permission denied relates to: [root@host01 zabbix]# cat ../audit/audit.log|grep -Ei denied|tail type=AVC msg=audit(1549949714.675:12570): avc:  denied  { setrlimit } for  pid=10587 comm="zabbix_server" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process [root@host01 zabbix]# and is solved by: [root@host01 zabbix]# grep AVC /var/log/audit/audit.log* | audit2allow -M systemd-allow; semodule -i systemd-allow.pp Cheers, […]

FreeIPA Quick Setup Guide w/ Replication HA, AD DC Trust, Sudo, Ganesha NFS

In this post, we are setting up an IPA server on a separate domain than the one we had configured earlier ( nix.mds.xyz ) .   We do so because IPA comes not only with Authentication and DNS but also with a built in KDC to which we will be connnecting various pieces of software that […]


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License