<div dir="ltr">Yes; I verified that both forward and reverse DNS match on all nodes.<br></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><br>Thank you,<br><br>Christian Hernandez<br></div>1225 Los Angeles Street<br> <div>Glendale, CA 91204<br> Phone: <a value="+18777822737">877-782-2737 ext. 4566</a><br>Fax: <a value="+18182653152">818-265-3152</a><br><a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a> <mailto:<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>> <br> <a href="http://www.4over.com/" target="_blank">www.4over.com</a> <<a href="http://www.4over.com/" target="_blank">http://www.4over.com</a>></div></div></div> <br><br><div class="gmail_quote">On Mon, Apr 15, 2013 at 6:21 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div class="im"> On 04/15/2013 08:41 PM, Christian Hernandez wrote: <blockquote type="cite"> <div dir="ltr">Yup, looks like replication is broken =\<br> <br> [<a href="mailto:root@ipa1.gln.4over.com" target="_blank">root@ipa1.gln.4over.com</a> ipa]# ipa-replica-manage disconnect <a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a><br> Failed to get list of agreements from '<a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a>': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br> <br> [<a href="mailto:root@ipa1.gln.4over.com" target="_blank">root@ipa1.gln.4over.com</a> ipa]# ipa-replica-manage list <a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a><br> Failed to get data from '<a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a>': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br> <br> [<a href="mailto:root@ipa1.gln.4over.com" target="_blank">root@ipa1.gln.4over.com</a> ipa]# ipa-replica-manage list<br> <a href="http://ipa1.la3.4over.com" target="_blank">ipa1.la3.4over.com</a>: master<br> <a href="http://ipa1.gln.4over.com" target="_blank">ipa1.gln.4over.com</a>: master<br> <a href="http://ipa1.da2.4over.com" target="_blank">ipa1.da2.4over.com</a>: master<br> </div> </blockquote> <br> <br></div> Do the machines resolve each other correctly?<div><div class="h5"><br> <br> <blockquote type="cite"> <div class="gmail_extra"> <br clear="all"> <div> <div dir="ltr"> <div><br> Thank you,<br> <br> Christian Hernandez<br> </div> 1225 Los Angeles Street<br> <div>Glendale, CA 91204<br> Phone: <a value="+18777822737">877-782-2737 ext. 4566</a><br> Fax: <a value="+18182653152">818-265-3152</a><br> <a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a> <mailto:<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>> <br> <a href="http://www.4over.com/" target="_blank">www.4over.com</a> <<a href="http://www.4over.com/" target="_blank">http://www.4over.com</a>></div> </div> </div> <br> <br> <div class="gmail_quote">On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez <span dir="ltr"><<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"> <div>Okay,<br> <br> So I tried to update to the newest version. Update went okay and users can authenticate (as far as I can tell)...<br> <br> But I think may be replication broke?<br> <br> [<a href="mailto:root@ipa1.da2.4over.com" target="_blank">root@ipa1.da2.4over.com</a> log]# ipa-replica-manage force-sync --from=<a href="http://ipa1.gln.4over.com" target="_blank">ipa1.gln.4over.com</a> <br> Invalid password<br> <br> </div> Any ideas?<br> </div> <div class="gmail_extra"> <div><br clear="all"> <div> <div dir="ltr"> <div><br> Thank you,<br> <br> Christian Hernandez<br> </div> 1225 Los Angeles Street<br> <div>Glendale, CA 91204<br> Phone: <a value="+18777822737">877-782-2737 ext. 4566</a><br> Fax: <a value="+18182653152">818-265-3152</a><br> <a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a> <mailto:<a href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>> <br> <a href="http://www.4over.com/" target="_blank">www.4over.com</a> <<a href="http://www.4over.com/" target="_blank">http://www.4over.com</a>></div> </div> </div> <br> <br> </div> <div> <div> <div class="gmail_quote">On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek <span dir="ltr"><<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div>On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote:<br> > There are some odd errors in ldap_child.log but it seems to cover a<br> > later period than the other logs (not being able to bind using its<br> > keytab is a bad thing).<br> ><br> > I think what you'll want to do, and this may be relatively tough, is<br> > try to correlate these failures with the 389-ds access log and the<br> > KDC logs to see if there are equivalent failures at around the same<br> > times.<br> <br> </div> I agree, the ldap_child failing usually indicates an issue with the<br> keytab and/or the KDC. The ldap_child functionality is roughly equivalent to<br> "kinit -k".<br> <br> _______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> </blockquote> </div> <br> </div> </div> </div> </blockquote> </div> <br> </div> <br> <fieldset></fieldset> <br> <pre>_______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> </div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </font></span></div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div>