PSergey Absent Member.
Absent Member.
9005 views

LUM,iManager and Apache on OES2 Problem

Hi'
I have installed NCS on two OES2(64bit) servers, everything work fine after NCS configuration (both servers installed on some container). But before few days I just try lunch iManager on first node and i get error - (111) Connection refused, I check apache2 and tomcat5 services and find them not running, namcd process crash too:
rcnamcd status
Checking for LUM NAMCD daemon dead

On messages log I get:
cron[12347]: nds_nss_GetGroupsbyMember: failed to init socket, status = 0
sshd[15379]: nds_nss_GetGroupsbyMember: failed to init socket, status = 0

I try restart namcd and get:
Starting NAM Cache Daemon ...
Waiting for LDAP server to be ready ...
............................................................
Waiting for namcd initialization to complete ... done
rcnamcd status
Checking for LUM NAMCD daemon dead
messages:
/usr/sbin/namcd[17706]: Starting namcd..
/usr/sbin/namcd[17706]: namcd populating the user hash tables
/usr/sbin/namcd[17706]: User profile file cannot be opened/does not exist
/usr/sbin/namcd[17706]: Failed to populate user hash tables from file, namcd populating the hash tables from eDir
/usr/sbin/namcd[17706]: ldap_initconn: LDAP bind failed (error = [81]), trying to connect to alternative LDAP server
/usr/sbin/namcd[17706]: Unknown error returned reading configuration parameter: alternative-ldap-server-list
/usr/sbin/namcd[17706]: _nds_nss_struct_init: Error [226] in _nds_ldap_private_struct_init.
/usr/sbin/namcd[17706]: Problem in namcd initialization, exiting...
/usr/sbin/namcd[17706]: Deleted hash tables and flushed data into local files
/usr/sbin/namcd[17706]: Deinitialized threads

I find novell-xregd dont work too, and try restart it:
rcnovell-xregd status unused
rcnovell-xregd start
Starting novell-xregd...start_daemon: No such user or user id: novlxregd failed

messages:
nds_nss_GetPwdbyName: init sock returned 0
chown: nds_nss_GetPwdbyName: init sock returned 0
start_daemon: nds_nss_GetPwdbyName: init sock returned 0

I don't change anything on this server on last week (just udated iManager plugins), my second nod run good and don't have this issue. I try to find something on novell support, TID 10098039 seems like my problem, but i was check all services after install NCS and find all OK (I don't have nssid.sh on my problematic server too)...
both nods patched to:
Catalog | Name | Version | Category | Status
--------+-------------------------------------------+---------+-------------+--------
System | oes2-novell-arkmanager | 4924-0 | recommended | Applied
System | oes2-novell-cluster-services | 5141-0 | recommended | Applied
System | oes2-novell-cluster-services-32bit 4783-0 | recommended | Applied
System | oes2-novell-kerberos | 5140-0 | security | Applied
System | oes2-novell-migration-gui-base | 4842-0 | optional | Applied
System | oes2-novell-ncpenc | 5085-0 | recommended | Applied
System | oes2-novell-NDSbase | 5106-0 | recommended | Applied
System | oes2-novell-nrm | 4561-0 | recommended | Applied
System | oes2-novell-nssfileversionutility-clients | 4923-0 | recommended | Applied
System | oes2-novell-ntls | 4684-0 | recommended | Applied
System | oes2-nss-kmp | 4562-0 | recommended | Applied
System | slesp1-perl-Bootloader | 3680-0 | recommended | Broken
System | slesp1-yast2-installation | 3830-0 | recommended | Broken
System | slesp1-yast2-online-update | 4661-0 | recommended | Broken

Any ideas ?
Thx, Sergey.
Labels (2)
0 Likes
7 Replies
Brunold Rainer Absent Member.
Absent Member.

Re: LUM,iManager and Apache on OES2 Problem

Sergey.

this all sounds that the edirectory (ndsd) is not running.
All this processes depend on this one and need it.
Can you check if the ndsd is running (rcndsd status) ?

Rainer
0 Likes
PSergey Absent Member.
Absent Member.

Re: LUM,iManager and Apache on OES2 Problem

brunold;1552047 wrote:
Sergey.

this all sounds that the edirectory (ndsd) is not running.
All this processes depend on this one and need it.
Can you check if the ndsd is running (rcndsd status) ?

Rainer


rcndsd status
Tree Name: HU
Server Name: .CN=srv2.OU=Servers.O=HU.T=HU.
Binary Version: 20216.61
Root Most Entry Depth: -1
Product Version: eDirectory for Linux v8.8 SP2 [DS]

I don't have replicas on cluster nods, my master server is Netware 6 SP5 with 8.7.3 SP9 (10553.73) eDirectory
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: LUM,iManager and Apache on OES2 Problem

Sergey,

ok so far edirectory is running it must be related to lum because all the novell services on the server require lum enabled edirectory users. because lum (namcd) is down the user are not available and the application won't start. I thin when you check eg. the apache log file /var/log/apache2/error.log you see a message about the missing apache user at the end. This would indicate that we a re at the right way.

To fix the lum problem I would first try to reimport the ssl certificate (rcnamcd stop, namconfig -k, rcnamcd start). If that works you should have eg. the apache user wwwrun (id wwwrun) available.

If that does not work you can use a workaround to get it working by adding the netware server as an alternate ldap server for lum by running the following command:

namconfig set alternative-ldap-server-list=<ip netware server>

This does not fix the problem but adds an alternate server so lum gets the information, the user should be available, the apps should start and we can continue to search the problem.

Rainer
0 Likes
PSergey Absent Member.
Absent Member.

Re: LUM,iManager and Apache on OES2 Problem

brunold;1555121 wrote:
Sergey,

ok so far edirectory is running it must be related to lum because all the novell services on the server require lum enabled edirectory users. because lum (namcd) is down the user are not available and the application won't start. I thin when you check eg. the apache log file /var/log/apache2/error.log you see a message about the missing apache user at the end. This would indicate that we a re at the right way.

To fix the lum problem I would first try to reimport the ssl certificate (rcnamcd stop, namconfig -k, rcnamcd start). If that works you should have eg. the apache user wwwrun (id wwwrun) available.

If that does not work you can use a workaround to get it working by adding the netware server as an alternate ldap server for lum by running the following command:

namconfig set alternative-ldap-server-list=<ip netware server>

This does not fix the problem but adds an alternate server so lum gets the information, the user should be available, the apps should start and we can continue to search the problem.

Rainer


Hi, Rainer
Thanks for your replay. I set alternative LDAP server and run namconfig –k.
I get errors on message:

nam_ldap_init(): retrieval of trusted root cert failed. Make sure you have LDAP server certificate in /var/lib/novell-lum directory.
/usr/sbin/namcd[28810]: nss_ldap_init: Unable to get LDAP handle.
/usr/sbin/namcd[28810]: ldap_initconn: Unable to bind to alternative LDAP servers either, error [226].

namcd is crash again 😞
I guess now this certificate problem, maybe on my master Netware server?!
Try to check with PKIDIAG and comeback …
0 Likes
PSergey Absent Member.
Absent Member.

Re: LUM,iManager and Apache on OES2 Problem

PSergey;1555240 wrote:
Hi, Rainer
Thanks for your replay. I set alternative LDAP server and run namconfig –k.
I get errors on message:

nam_ldap_init(): retrieval of trusted root cert failed. Make sure you have LDAP server certificate in /var/lib/novell-lum directory.
/usr/sbin/namcd[28810]: nss_ldap_init: Unable to get LDAP handle.
/usr/sbin/namcd[28810]: ldap_initconn: Unable to bind to alternative LDAP servers either, error [226].

namcd is crash again 😞
I guess now this certificate problem, maybe on my master Netware server?!
Try to check with PKIDIAG and comeback …


🙂 ,
It's working now!
My Netware server had the certificate problem:
pkidiag:
PROBLEM: The KMO SSL CertificateIP has expired.
--> The KMO SSL CertificateIP's IP Address is: x.x.x.x
----> The IP addresses match.
FIXING: Creating SSL CertificateIP (x.x.x.x)
Step 1: Successfully created the key pair and CSR.
FIXED: Successfully stored certificates for SSL CertificateIP.
--> Number of Server DNS names for the IP address x.x.x.x = 1
PROBLEM: The KMO SSL CertificateDNS has expired.
--> The KMO SSL CertificateDNS's DNS name is: name
----> The DNS names match.
FIXING: Creating SSL CertificateDNS (name)
Step 1: Successfully created the key pair and CSR.
FIXED: Successfully stored certificates for SSL CertificateDNS.
Step 6 succeeded.
Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 2
Problems fixed: 2
Un-fixable problems found: 0

After that I was run namconfig –k on my OES2 problematic server and restarted it.
Now I have ALL services is RUN (namcd, apache and tomcat5) !

Thanks!
Sergey.
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: LUM,iManager and Apache on OES2 Problem

Sergey.

well done,

Rainer
0 Likes
ryanradford Absent Member.
Absent Member.

Re: LUM,iManager and Apache on OES2 Problem

Thanks so much for this solution. I had an issue where one of my remote servers quit running NSS. I determined it was an LDAP/LUM issue, and your reimport workaround fixed it right away. Thanks for your help!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.