<div dir="ltr"><div>server 1:<br>ipa-server-3.0.0-26.el6_4.4.x86_64</div><div><br></div><div>server2</div><div><br></div><div>ipa-server-3.0.0-37.el6.x86_64<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-04-30 1:10 GMT+08:00 <span dir="ltr"><<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br>ipa-server-3.0.0-37.el6.x86_64 << here<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2016-04-29 19:36 GMT+08:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div bgcolor="#FFFFFF" text="#000000">
Please keep, user-list in CC<br>
<br>
You did not send all information I requested.<br>
<br>
Please use `rpm -ql ipa-server` to get exact version number<div><div><br>
<br>
<div>On 29.04.2016 13:32, <a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">Error.is from Gss api And i m thinkbif it relate cert
issue.</p>
<p dir="ltr">Server1> server 2 fail<br>
Server 2 > server1 ok</p>
<p dir="ltr">Freeipa 3.0 both</p>
<p dir="ltr">slapd_ldap_sasl_interactive_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_492' not
found)) errno 0 (Success)<br>
[26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: error -2
(Local error)<br>
[26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=<a href="http://metocentral02.abc.com/" target="_blank">meTocentral02.ABC.com</a>"
(central02:389): Replication bind with GSSAPI auth failed: LDAP
error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_492' not
found))<br>
[26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All
Interfaces port 389 for LDAP requests<br>
[26/Apr/2016:18:40:19 +0800] - Listening on
/var/run/slapd-ABC-COM.socket for LDAPI requests<br>
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=<a href="http://metocentral02.abc.com/" target="_blank">meTocentral02.ABC.com</a>"
(central02:389): Replication bind with GSSAPI auth resumed<br>
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=<a href="http://metocentral02.abc.com/" target="_blank">meTocentral02.ABC.com</a>"
(central02:389): Missing data encountered<br>
[26/Apr/2016:18:40:23 +0800] </p>
<div style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div bgcolor="#FFFFFF" text="#000000"> <br>
<br>
<div>On 29.04.2016 13:02, <a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi All:</div>
<div><br>
</div>
<div>Any method can fall back the default ipa cert if I
didn't backup orginal?</div>
<div><br>
</div>
<div>Now the slapd and ipa cert storage quite a mess so
they cant replicate even disabled nsslapd:security to
off</div>
<div><br>
</div>
<div><br>
</div>
<div>thx</div>
<div>Barry</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
Hello Barry,<br>
<br>
Can you provide more info?<br>
<br>
What is your IPA version, OS?<br>
What are the symptoms you are experiencing?<br>
What do you mean by default ipa cert ?<br>
Can you provide logs from replicas?<br>
Can you provide `getcert list` command output?<br>
Can you provide `ipactl status` from both server?<br>
<br>
Replication uses GSSAPI, at least on new IPA versions, I'm not
sure if certificates are involved in this.<br>
<br>
Martin<br>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>