<div dir="ltr">Yes; I verified that both forward and reverse DNS match on all nodes.<br></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><br>Thank you,<br><br>Christian Hernandez<br></div>1225 Los Angeles Street<br>
<div>Glendale, CA 91204<br>
Phone: <a value="+18777822737">877-782-2737 ext. 4566</a><br>Fax: <a value="+18182653152">818-265-3152</a><br><a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a> <mailto:<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>> <br>
<a href="http://www.4over.com/" target="_blank">www.4over.com</a> <<a href="http://www.4over.com/" target="_blank">http://www.4over.com</a>></div></div></div>
<br><br><div class="gmail_quote">On Mon, Apr 15, 2013 at 6:21 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
On 04/15/2013 08:41 PM, Christian Hernandez wrote:
<blockquote type="cite">
<div dir="ltr">Yup, looks like replication is broken =\<br>
<br>
[<a href="mailto:root@ipa1.gln.4over.com" target="_blank">root@ipa1.gln.4over.com</a>
ipa]# ipa-replica-manage disconnect <a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a><br>
Failed to get list of agreements from '<a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a>':
Invalid credentials SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context<br>
<br>
[<a href="mailto:root@ipa1.gln.4over.com" target="_blank">root@ipa1.gln.4over.com</a>
ipa]# ipa-replica-manage list <a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a><br>
Failed to get data from '<a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a>':
Invalid credentials SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context<br>
<br>
[<a href="mailto:root@ipa1.gln.4over.com" target="_blank">root@ipa1.gln.4over.com</a>
ipa]# ipa-replica-manage list<br>
<a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a>:
master<br>
<a href="http://ipa1.gln.4over.com" target="_blank">ipa1.gln.4over.com</a>:
master<br>
<a href="http://ipa1.da2.4over.com" target="_blank">ipa1.da2.4over.com</a>:
master<br>
</div>
</blockquote>
<br>
<br></div>
Do the machines resolve each other correctly?<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra">
<br clear="all">
<div>
<div dir="ltr">
<div><br>
Thank you,<br>
<br>
Christian Hernandez<br>
</div>
1225 Los Angeles Street<br>
<div>Glendale, CA 91204<br>
Phone: <a value="+18777822737">877-782-2737
ext. 4566</a><br>
Fax: <a value="+18182653152">818-265-3152</a><br>
<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>
<mailto:<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>>
<br>
<a href="http://www.4over.com/" target="_blank">www.4over.com</a> <<a href="http://www.4over.com/" target="_blank">http://www.4over.com</a>></div>
</div>
</div>
<br>
<br>
<div class="gmail_quote">On Mon, Apr 15, 2013 at 4:58 PM,
Christian Hernandez <span dir="ltr"><<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Okay,<br>
<br>
So I tried to update to the newest version. Update went
okay and users can authenticate (as far as I can
tell)...<br>
<br>
But I think may be replication broke?<br>
<br>
[<a href="mailto:root@ipa1.da2.4over.com" target="_blank">root@ipa1.da2.4over.com</a>
log]# ipa-replica-manage force-sync --from=<a href="http://ipa1.gln.4over.com" target="_blank">ipa1.gln.4over.com</a>
<br>
Invalid password<br>
<br>
</div>
Any ideas?<br>
</div>
<div class="gmail_extra">
<div><br clear="all">
<div>
<div dir="ltr">
<div><br>
Thank you,<br>
<br>
Christian Hernandez<br>
</div>
1225 Los Angeles Street<br>
<div>Glendale, CA 91204<br>
Phone: <a value="+18777822737">877-782-2737 ext. 4566</a><br>
Fax: <a value="+18182653152">818-265-3152</a><br>
<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>
<mailto:<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>> <br>
<a href="http://www.4over.com/" target="_blank">www.4over.com</a>
<<a href="http://www.4over.com/" target="_blank">http://www.4over.com</a>></div>
</div>
</div>
<br>
<br>
</div>
<div>
<div>
<div class="gmail_quote">On Mon, Apr 15, 2013 at 4:19
PM, Jakub Hrozek <span dir="ltr"><<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob
Crittenden wrote:<br>
> There are some odd errors in ldap_child.log
but it seems to cover a<br>
> later period than the other logs (not being
able to bind using its<br>
> keytab is a bad thing).<br>
><br>
> I think what you'll want to do, and this
may be relatively tough, is<br>
> try to correlate these failures with the
389-ds access log and the<br>
> KDC logs to see if there are equivalent
failures at around the same<br>
> times.<br>
<br>
</div>
I agree, the ldap_child failing usually indicates
an issue with the<br>
keytab and/or the KDC. The ldap_child
functionality is roughly equivalent to<br>
"kinit -k".<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div>