Re: [389-users] Unable to Manage Registered Servers from Console

[Tom Tucker <tktucker@xxxxxxxxx>]

Rich,

The Fedora firewall rules on serverB were to blame for the communication problems. After flushing them, serverA had full visibility with registered servers. Thank you.


On Thu, Nov 10, 2011 at 7:05 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 11/10/2011 04:20 PM, Tom Tucker wrote:

Hmm...No!

serverA to serverB:9830 fails to connect, while serverB to serverA:9830 works.

So if the web browser can't connect, and the console can't connect, make sure the process is listening to a valid (i.e. not 127.0.0.1) address:
netstat -an|grep 9830

if it is listening to an externally reachable address, then also check to see if there is some sort of ipv4 vs. ipv6 issue e.g. the server is listening only to ipv6 but the DNS is giving only ipv4 addresses.

Otherwise, looks like a firewall issue.

Odd, a pid exists and port9830 is bound.

The below capture from serverB shows connectivity between the two and it also shows the port 9830 problems.  Any suggestions for troubleshooting the admin piece? I have include the admin-srv/error.log and debug output from start-ds-admin. I didn't notice anything questionable from either source.  

ServerA to B

############

[root@serverA]# telnet 10.224.146.243 9830

Trying 10.224.146.243...

telnet: connect to address 10.224.146.243: No route to host

ServerB

#########

[root@serverB]# netstat -an | grep 9830

tcp        0      0 0.0.0.0:9830                0.0.0.0:*                   LISTEN      

unix  3      [ ]         STREAM     CONNECTED     19830  @/tmp/dbus-32VTqFryLw

[root@serverB]# telnet 10.102.71.211 9830

Trying 10.102.71.211...

Connected to 10.102.71.211.

Escape character is '^]'.

[root@serverB]# tcpdump -i p3p1 host serverA

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on p3p1, link-type EN10MB (Ethernet), capture size 65535 bytes

17:53:46.634915 IP serverA > serverB: ICMP echo request, id 11535, seq 1, length 64

17:53:46.635000 IP serverB > serverA: ICMP echo reply, id 11535, seq 1, length 64

17:53:47.636120 IP serverA > serverB: ICMP echo request, id 11535, seq 2, length 64

17:53:47.636192 IP serverB > serverA: ICMP echo reply, id 11535, seq 2, length 64

17:53:48.637272 IP serverA > serverB: ICMP echo request, id 11535, seq 3, length 64

17:53:48.637327 IP serverB > serverA: ICMP echo reply, id 11535, seq 3, length 64

17:53:49.638405 IP serverA > serverB: ICMP echo request, id 11535, seq 4, length 64

17:53:49.638461 IP serverB > serverA: ICMP echo reply, id 11535, seq 4, length 64

17:53:50.639521 IP serverA > serverB: ICMP echo request, id 11535, seq 5, length 64

17:53:50.639556 IP serverB > serverA: ICMP echo reply, id 11535, seq 5, length 64

17:54:03.762709 IP serverA.33027 > serverB.9830: Flags [S], seq 3182616044, win 14600, options [mss 1460,sackOK,TS val 364237574 ecr 0,nop,wscale 6], length 0

17:54:03.762809 IP serverB > serverA: ICMP host serverB unreachable - admin prohibited, length 68

This looks like the problem.  I have no idea what would cause this.

Syntax is ok ;-)

#############

[root@serverB]# /usr/sbin/start-ds-admin -t

Syntax OK

Start-up debug

##########

[root@serverB]# /usr/sbin/start-ds-admin -e debug

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module authz_host_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module auth_basic_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module authn_file_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module log_config_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module env_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module mime_magic_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module unique_id_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module setenvif_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module mime_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module negotiation_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module dir_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module alias_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module rewrite_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module cgi_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module restartd_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module nss_module

[Thu Nov 10 18:07:01 2011] [debug] mod_so.c(246): loaded module admserv_module

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2509): [7034] create_server_config [0xbogus %p for (null)

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2497): [7034] create_config [0xbogus %p for (null)

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2570): [7034] Set [0xbogus %p [ADMCacheLifeTime] to 600

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2588): [7034] Set [0xbogus %p [ADMServerVersionString] to 389-Administrator/1.1.25

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2497): [7034] create_config [0xbogus %p for /*/[tT]asks/[Oo]peration/*

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2522): [7034] adminsdk [0xbogus %p flag 1

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2497): [7034] create_config [0xbogus %p for /*/[tT]asks/[Cc]onfiguration/*

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2522): [7034] adminsdk [0xbogus %p flag 1

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2497): [7034] create_config [0xbogus %p for /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create|remove)$

[Thu Nov 10 18:07:01 2011] [debug] mod_admserv/mod_admserv.c(2522): [7034] adminsdk [0xbogus %p flag 0

[root@serverB]# 

admin-serv error log from serverB

############################

root@serverB]# tail -30 error 

[Thu Nov 10 18:07:02 2011] [debug] mod_admserv/mod_admserv.c(220): HashTableEnumerate: Key=admin-serv Val=cn=admin-serv-serverB,cn=389 Administration Server,cn=Server Group,cn=serverB.mydomain.com,ou=mydomain.com,o=NetscapeRoot

[Thu Nov 10 18:07:02 2011] [debug] mod_admserv/mod_admserv.c(1456): populate_tasks_from_server(): getting tasks for server [admin-serv] siedn [cn=admin-serv-serverB,cn=389 Administration Server,cn=Server Group,cn=serverB.mydomain.com,ou=mydomain.com,o=NetscapeRoot]

[Thu Nov 10 18:07:02 2011] [notice] Access Host filter is: *.mydomain.com

[Thu Nov 10 18:07:02 2011] [notice] Access Address filter is: *

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module authz_host_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module auth_basic_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module authn_file_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module log_config_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module env_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module mime_magic_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module unique_id_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module setenvif_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module mime_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module negotiation_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module dir_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module alias_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module rewrite_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module cgi_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module restartd_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module nss_module

[Thu Nov 10 18:07:02 2011] [debug] mod_so.c(246): loaded module admserv_module

[Thu Nov 10 18:07:02 2011] [debug] mod_admserv/mod_admserv.c(2509): [7034] create_server_config [0xbogus %p for (null)

[Thu Nov 10 18:07:02 2011] [debug] mod_admserv/mod_admserv.c(2497): [7034] create_config [0xbogus %p for (null)

[Thu Nov 10 18:07:03 2011] [notice] Apache/2.2.21 (Unix) configured -- resuming normal operations

[Thu Nov 10 18:07:03 2011] [debug] mod_admserv/mod_admserv.c(2940): Entering admserv_init_child pid [7039] init count is [1]

[Thu Nov 10 18:07:03 2011] [debug] mod_admserv/mod_admserv.c(220): HashTableEnumerate: Key=admin-serv Val=cn=admin-serv-serverB,cn=389 Administration Server,cn=Server Group,cn=serverB.mydomain.com,ou=mydomain.com,o=NetscapeRoot

[Thu Nov 10 18:07:03 2011] [debug] mod_admserv/mod_admserv.c(1456): populate_tasks_from_server(): getting tasks for server [admin-serv] siedn [cn=admin-serv-serverB,cn=389 Administration Server,cn=Server Group,cn=serverB.mydomain.com,ou=mydomain.com,o=NetscapeRoot]

[Thu Nov 10 18:07:03 2011] [notice] Access Host filter is: *.mydomain.com

[Thu Nov 10 18:07:03 2011] [notice] Access Address filter is: *

[Thu Nov 10 18:07:03 2011] [debug] mod_admserv/mod_admserv.c(2954): Leaving admserv_init_child

On Thu, Nov 10, 2011 at 5:20 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 11/10/2011 02:56 PM, Tom Tucker wrote:

Attached is the console.log output from serverA.

I noticed this error in the output.  BTW no firewalls exists between these hosts nor is IPTables or selinux running on either end. 

ResourceSet: found in cache loader6298545:com.netscape.management.client.util.default

ClassLoader: :loadClass():name:java.net.URL

CommManager> New CommRecord (http://serverB.mydomain.com:9830/admin-serv/tasks/operation/StatusPing)

java.net.NoRouteToHostException: No route to host

ClassLoader: :loadClass():name:java.net.SocketException

Can you go to http://serverB.mydomain.com:9830
in your web browser, from both machines?

On Thu, Nov 10, 2011 at 3:31 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 11/10/2011 01:16 PM, Tom Tucker wrote:

The upgrade to a5 addressed the subroutine error, thanks. Unfortunately serverB is still refusing to be managed via the Console.  I ran the  -u update twice and bounced services for the helluva it. Additional output can be found below.

Ok.  Run the console like this: 389-console -D 9 -f console.log - remove/obscure any sensitive data in console.log - post console.log to the list

SERVER A

########

Are you ready to set up your servers? [yes]: 

Could not open TLS connection to serverA.mydomain.com:389 - trying regular connection

rm: cannot remove `/var/lib/dirsrv/slapd-serverA/changelogdb/__db.*': No such file or directory

rm: cannot remove `/var/lib/dirsrv/slapd-serverA/changelogdb/guardian': No such file or directory

Registering the directory server instances with the configuration directory server . . .

Beginning Admin Server reconfiguration . . .

Registering admin server with the configuration directory server . . .

Updating adm.conf with information from configuration directory server . . .

Exiting . . .

Log file is '/tmp/setupYUpMQ4.log'

[root@serverA phpldapadmin]# rpm -qi 389-ds-base

Name        : 389-ds-base

Version     : 1.2.10

Release     : 0.5.a5.fc15

Architecture: i686

Install Date: Thu 10 Nov 2011 02:54:23 PM EST

Group       : System Environment/Daemons

Size        : 4738178

License     : GPLv2 with exceptions

Signature   : RSA/SHA256, Sat 05 Nov 2011 09:17:58 AM EDT, Key ID b4ebf579069c8460

Source RPM  : 389-ds-base-1.2.10-0.5.a5.fc15.src.rpm

Build Date  : Fri 04 Nov 2011 07:13:25 PM EDT

Build Host  : x86-11.phx2.fedoraproject.org

Relocations : (not relocatable)

Packager    : Fedora Project

Vendor      : Fedora Project

URL         : http://port389.org/

Summary     : 389 Directory Server (base)

Description :

389 Directory Server is an LDAPv3 compliant server.  The base package includes

the LDAP server and command line utilities for server administration.

SERVER B

#########

Are you ready to set up your servers? [yes]: 

Could not open TLS connection to serverB.mydomain.com:389 - trying regular connection

Registering the directory server instances with the configuration directory server . . .

Beginning Admin Server reconfiguration . . .

Registering admin server with the configuration directory server . . .

Updating adm.conf with information from configuration directory server . . .

Exiting . . .

Log file is '/tmp/setupS0ZvAH.log'

[root@serverB admin-serv]# !292

rpm -qi 389-ds-base

Name        : 389-ds-base

Version     : 1.2.10

Release     : 0.5.a5.fc15

Architecture: i686

Install Date: Thu 10 Nov 2011 03:04:01 PM EST

Group       : System Environment/Daemons

Size        : 4738178

License     : GPLv2 with exceptions

Signature   : RSA/SHA256, Sat 05 Nov 2011 09:17:58 AM EDT, Key ID b4ebf579069c8460

Source RPM  : 389-ds-base-1.2.10-0.5.a5.fc15.src.rpm

Build Date  : Fri 04 Nov 2011 07:13:25 PM EDT

Build Host  : x86-11.phx2.fedoraproject.org

Relocations : (not relocatable)

Packager    : Fedora Project

Vendor      : Fedora Project

URL         : http://port389.org/

Summary     : 389 Directory Server (base)

On Thu, Nov 10, 2011 at 2:36 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 11/10/2011 12:02 PM, Tom Tucker wrote:

Responding to the group..this time.

Thanks for the quick response, unfortunately no change.

OS: FC 15

https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=751495

Server1

##########

[root@serverA phpldapadmin]# setup-ds-admin.pl -u

==============================================================================

The update option will allow you to re-register your servers with the

configuration directory server and update the information about your

servers that the console and admin server uses.  You will need your

configuration directory server admin ID and password to continue.

Continue? [yes]: 

==============================================================================

Please specify the information about your configuration directory

server.  The following information is required:

- host (fully qualified), port (non-secure or secure), suffix,

  protocol (ldap or ldaps) - this information should be provided in the

  form of an LDAP url e.g. for non-secure

ldap://host.example.com:389/o=NetscapeRoot

  or for secure

ldaps://host.example.com:636/o=NetscapeRoot

- admin ID and password

- admin domain

- a CA certificate file may be required if you choose to use ldaps and

  security has not yet been configured - the file must be in PEM/ASCII

  format - specify the absolute path and filename

Configuration directory server URL [ldap://serverA.mydomain.com:389/o=NetscapeRoot]: 

Configuration directory server admin ID [uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]: 

Configuration directory server admin password: 

Configuration directory server admin domain [mydomain.com]: 

==============================================================================

The interactive phase is complete.  The script will now set up your

servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: 

Could not open TLS connection to serverA.mydomain.com:389 - trying regular connection

rm: cannot remove `/var/lib/dirsrv/slapd-serverA/changelogdb/__db.*': No such file or directory

rm: cannot remove `/var/lib/dirsrv/slapd-serverA/changelogdb/guardian': No such file or directory

Undefined subroutine &DSUpdate::updateSystemD called at /usr/lib/dirsrv/perl/DSUpdate.pm line 419.

rpm -qi 389-ds-base
this issue is fixed in 1.2.10.a5 in updates-testing

Server2

#########

[root@usg-ldap7901 admin-serv]# setup-ds-admin.pl -u

==============================================================================

The update option will allow you to re-register your servers with the

configuration directory server and update the information about your

servers that the console and admin server uses.  You will need your

configuration directory server admin ID and password to continue.

Continue? [yes]: yes 

==============================================================================

Please specify the information about your configuration directory

server.  The following information is required:

- host (fully qualified), port (non-secure or secure), suffix,

  protocol (ldap or ldaps) - this information should be provided in the

  form of an LDAP url e.g. for non-secure

ldap://host.example.com:389/o=NetscapeRoot

  or for secure

ldaps://host.example.com:636/o=NetscapeRoot

- admin ID and password

- admin domain

- a CA certificate file may be required if you choose to use ldaps and

  security has not yet been configured - the file must be in PEM/ASCII

  format - specify the absolute path and filename

Configuration directory server URL [ldap://serverA.mydomain.com:389/o=NetscapeRoot]: 

Configuration directory server admin ID [uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]: 

Configuration directory server admin password: 

Configuration directory server admin domain [mydomain.com]: 

==============================================================================

The interactive phase is complete.  The script will now set up your

servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: 

Could not open TLS connection to serverA.mydomain.com:389 - trying regular connection

Undefined subroutine &DSUpdate::updateSystemD called at /usr/lib/dirsrv/perl/DSUpdate.pm line 419.

On Thu, Nov 10, 2011 at 1:48 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 11/10/2011 11:48 AM, Tom Tucker wrote:

I would appreciate any troubleshooting advise you might have regarding my registered ldap servers.  I am referring to the first page you see when launching the console (servers listed underneath Servers and Applications). I see my servers listed, however I am unable to open them. Their  "Server status" always reports "Stopped" even though the remote servers are running.

Based on my tcpdump capture below the 'admin prohibited' message is a clear indication of the problem, but I can't seem to correct it.  I have reran the setup several times, confirmed the password and such.  

What am I missing?

Have you tried running setup-ds-admin.pl -u on both the local servers and the remote servers?

==============================================================================

13:35:27.458489 IP serverA.mydomain.com.30940 > serverB.mydomain.com.ldap: Flags [S], seq 404137883, win 14600, options [mss 1460,sackOK,TS val 348721371 ecr 0,nop,wscale 6], length 0

13:35:27.458591 IP serverB.mydomain.com > serverA.mydomain.com: ICMP host serverB.mydomain.com unreachable - admin prohibited, length 68

Please specify the information about your configuration directory

server.  The following information is required:

- host (fully qualified), port (non-secure or secure), suffix,

  protocol (ldap or ldaps) - this information should be provided in the

  form of an LDAP url e.g. for non-secure

ldap://host.example.com:389/o=NetscapeRoot

  or for secure

ldaps://host.example.com:636/o=NetscapeRoot

- admin ID and password

- admin domain

- a CA certificate file may be required if you choose to use ldaps and

  security has not yet been configured - the file must be in PEM/ASCII

  format - specify the absolute path and filename

Configuration directory server URL [ldap://serverA.mydomain.com:389/o=NetscapeRoot]: 

Configuration directory server admin ID [uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]: 

Configuration directory server admin password: 

Configuration directory server admin domain [mydomain.com]: 

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users