Yes they are running. Server 1 can syn to server2 but error at server 2 like this. <div class="gmail_quote">2014/7/3 下午10:14 於 "Rob Crittenden" <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> 寫道： <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Please keep relies on the list. <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> wrote: > I saw the error beloe and errpr log is it related ? > > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Credentials cache > file '/tmp/krb5cc_492' not found)) errno 0 (Success) > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) I believe this is fairly normal on a new startup. It has to start somewhere. The expired ticket errors below are unexpected since there are so many of them. Is your KDC running? ipactl status rob > > > 2014-07-02 14:15 GMT+08:00 <<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>: > > > this is the error log i found at <a href="http://2.abc.com" target="_blank">2.abc.com</a> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>> > > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired)) errno 0 (Success) > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired)) errno 0 (Success) > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin - > agmt="cn=<a href="http://meTo1.abc.com" target="_blank">meTo1.abc.com</a> <<a href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>>" (central:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Ticket expired)) > [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired)) errno 0 (Success) > [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired)) errno 0 (Success) > [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired)) errno 0 (Success) > [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired)) errno 0 (Success) > [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > > > 2014-07-02 12:32 GMT+08:00 <<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> > <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>: > > yes on node 1 it is happening only node2 fail connect > > ipa-replica-manage list <a href="http://2.abc.com" target="_blank">2.abc.com</a> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>> > Directory Manager password: > > <a href="http://1.abc.com" target="_blank">1.abc.com</a> <<a href="http://1.abc.com" target="_blank">http://1.abc.com</a>>: replica > > > > 2014-06-30 20:59 GMT+08:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>: > > Barry wrote: > > Hi: > > > > Server 1 and Sever 2 is cluster master master orginally , > but server 2 > > fail to connect server1 ,. > > > > ipa-replica-manage list shown Can't contact LDAP server > > > > But as server1 it is ok master server1 master server2 , > > > > It seem affect if update on server 1 then it syn to > server2 no problem > > but sometimes if modfy in server2 if fail to update server1. > > > > Any idea to rebuild mutual relationship.? > > The first step is to diagnose what is wrong. I've already > suggested a > few things, > <a href="https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html" target="_blank">https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html</a> > > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project > > > > </blockquote></div>