See following error message,
"kinit: Generic error (see e-text) while getting initial credentials"
Also AVC denial seen. please have a look at snip from audit.log below.
Console output =============== [root@dhcp207-1 ~]# ipa-backup Preparing backup on dhcp207-1.testrelm.test Stopping IPA services Backing up ipaca in TESTRELM-TEST to LDIF Backing up userRoot in TESTRELM-TEST to LDIF Backing up TESTRELM-TEST Backing up files Backed up to /var/lib/ipa/backup/ipa-full-2014-11-18-17-52-18 Starting IPA service The ipa-backup command was successful [root@dhcp207-1 ~]# echo xxxxxxxx|kinit admin Password for admin@TESTRELM.TEST: [root@dhcp207-1 ~]# ipa user-del testuser1 ------------------------ Deleted user "testuser1" ------------------------ [root@dhcp207-1 ~]# ipa-restore --data --online -p xxxxxxxx /var/lib/ipa/backup/ipa-full-2014-11-18-17-52-18/ Preparing restore from /var/lib/ipa/backup/ipa-full-2014-11-18-17-52-18/ on dhcp207-1.testrelm.test Restoring data will overwrite existing live data. Continue to restore? [no]: yes Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Starting Directory Server Restoring from userRoot in TESTRELM-TEST Waiting for LDIF to finish Restoring from ipaca in TESTRELM-TEST Waiting for LDIF to finish The ipa-restore command was successful [root@dhcp207-1 ~]# kdestroy -A [root@dhcp207-1 ~]# sudo -u apache kdestroy [root@dhcp207-1 ~]# echo xxxxxxxx|kinit admin kinit: Generic error (see e-text) while getting initial credentials [root@dhcp207-1 ~]# ==> /var/log/krb5kdc.log <== Nov 18 17:57:32 dhcp207-1.testrelm.test krb5kdc[15907](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.1: LOOKING_UP_CLIENT: admin@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Server error Nov 18 17:57:40 dhcp207-1.testrelm.test krb5kdc[15907](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.1: LOOKING_UP_CLIENT: host/dhcp207-1.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Server error Nov 18 17:57:41 dhcp207-1.testrelm.test krb5kdc[15907](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.1: LOOKING_UP_CLIENT: host/dhcp207-1.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Server error snip from audit.log =================== [root@dhcp207-1 backup]# tail -f /var/log/audit/audit.log type=AVC msg=audit(1416320289.169:1685): avc: denied { open } for pid=30607 comm="ns-slapd" path="/tmp/tmpMv04xDipa/ipa/TESTRELM-TEST-userRoot.ldif" dev="dm-1" ino=17857594 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1416320289.169:1685): arch=c000003e syscall=2 success=no exit=-13 a0=7f3b04001600 a1=0 a2=0 a3=7f3af63f99d0 items=0 ppid=1 pid=30607 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1416320298.353:1686): avc: denied { open } for pid=30663 comm="ns-slapd" path="/tmp/tmpMv04xDipa/ipa/TESTRELM-TEST-ipaca.ldif" dev="dm-1" ino=17857592 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1416320298.353:1686): arch=c000003e syscall=2 success=no exit=-13 a0=7f3b200ba970 a1=0 a2=0 a3=7f3b3b6a0039 items=0 ppid=1 pid=30663 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null) [root@dhcp207-1 backup]# cat /var/log/audit/audit.log |audit2allow #============= dirsrv_t ============== allow dirsrv_t user_tmp_t:file open; [root@dhcp207-1 backup]# On restarting ipa service after ipa-restore, saw following in /var/log/message/ =============================================================================== Nov 18 17:59:40 dhcp207-1 ipactl: Failed to read data from service file: Failed to get list of services to probe status! Nov 18 17:59:40 dhcp207-1 ipactl: Configured hostname 'dhcp207-1.testrelm.test' does not match any master server in LDAP: Nov 18 17:59:40 dhcp207-1 ipactl: No master found because of error: no such entry Nov 18 17:59:40 dhcp207-1 ipactl: Shutting down Nov 18 17:59:40 dhcp207-1 systemd: Stopping 389 Directory Server TESTRELM-TEST.... Nov 18 17:59:41 dhcp207-1 systemd: Stopped 389 Directory Server TESTRELM-TEST.. Nov 18 17:59:41 dhcp207-1 ipactl: Starting Directory Service Nov 18 17:59:41 dhcp207-1 systemd: ipa.service: main process exited, code=exited, status=1/FAILURE Nov 18 17:59:41 dhcp207-1 systemd: Failed to start Identity, Policy, Audit. Nov 18 17:59:41 dhcp207-1 systemd: Unit ipa.service entered failed state.
Duplicate of #4712
directory server is down because of the mentioned AVC denial:
[18/Nov/2014:16:00:33 +0100] - import ipaca: Could not open LDIF file "/tmp/tmpp0hqQVipa/ipa/IDM-LAB-ENG-BRQ-REDHAT-COM-ipaca.ldif", errno 13 (Permission denied) [18/Nov/2014:16:00:33 +0100] - import ipaca: Thread monitoring returned: -23
[18/Nov/2014:16:00:33 +0100] - import ipaca: Aborting all Import threads... [18/Nov/2014:16:00:44 +0100] - import ipaca: Import threads aborted. [18/Nov/2014:16:00:44 +0100] - import ipaca: Closing files... [18/Nov/2014:16:00:44 +0100] - import ipaca: Import failed. [18/Nov/2014:16:02:09 +0100] - slapd shutting down - signaling operation threads - op stack size 6 max work q size 1 max work q stack size 1 [18/Nov/2014:16:02:09 +0100] - slapd shutting down - closing down internal subsystems and plugins [18/Nov/2014:16:02:09 +0100] - Waiting for 4 database threads to stop [18/Nov/2014:16:02:09 +0100] - All database threads now stopped [18/Nov/2014:16:02:09 +0100] - slapd shutting down - freed 1 work q stack objects - freed 6 op stack objects [18/Nov/2014:16:02:09 +0100] - slapd stopped.
time->Fri Nov 7 15:25:44 2014 type=AVC msg=audit(1415370344.228:131): avc: denied { create } for pid=2207 comm="cp" name="CS.cfg.bak.20141107152544" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=0
time->Tue Nov 18 16:00:24 2014 type=AVC msg=audit(1416322824.149:3949): avc: denied { open } for pid=16975 comm="ns-slapd" path="/tmp/tmpp0hqQVipa/ipa/IDM-LAB-ENG-BRQ-REDHAT-COM-userRoot.ldif" dev="tmpfs" ino=2709303 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
Metadata Update from @ksiddiqu: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.