<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello,<br>
<br>
Can you try to upgrade server to the same version?<br>
<br>
You did not provided all information I requested.<br>
<br>
Martin<br>
<br>
<div class="moz-cite-prefix">On 29.04.2016 19:13, <a class="moz-txt-link-abbreviated" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
wrote:<br>
</div>
<blockquote
cite="mid:CAELz9dt2meoaxh_tHtnc9VTrTkn4rdNw4TPL=BdDdF_-7w6M+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>server 1:<br>
ipa-server-3.0.0-26.el6_4.4.x86_64</div>
<div><br>
</div>
<div>server2</div>
<div><br>
</div>
<div>ipa-server-3.0.0-37.el6.x86_64<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-04-30 1:10 GMT+08:00 <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
ipa-server-3.0.0-37.el6.x86_64 << here<br>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-04-29 19:36 GMT+08:00
Martin Basti <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mbasti@redhat.com">mbasti@redhat.com</a></a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div bgcolor="#FFFFFF" text="#000000"> Please
keep, user-list in CC<br>
<br>
You did not send all information I requested.<br>
<br>
Please use `rpm -ql ipa-server` to get exact
version number
<div>
<div><br>
<br>
<div>On 29.04.2016 13:32, <a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a></a>
wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">Error.is from Gss api And i m
thinkbif it relate cert issue.</p>
<p dir="ltr">Server1> server 2 fail<br>
Server 2 > server1 ok</p>
<p dir="ltr">Freeipa 3.0 both</p>
<p dir="ltr">slapd_ldap_sasl_interactive_bind
- Error: could not perform interactive
bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more
information (Credentials cache file
'/tmp/krb5cc_492' not found)) errno 0
(Success)<br>
[26/Apr/2016:18:40:19 +0800]
slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech
[GSSAPI]: error -2 (Local error)<br>
[26/Apr/2016:18:40:19 +0800]
NSMMReplicationPlugin - agmt="cn=<a
moz-do-not-send="true"
href="http://metocentral02.abc.com/"
target="_blank">meTocentral02.ABC.com</a>"
(central02:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local
error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information
(Credentials cache file
'/tmp/krb5cc_492' not found))<br>
[26/Apr/2016:18:40:19 +0800] - slapd
started. Listening on All Interfaces
port 389 for LDAP requests<br>
[26/Apr/2016:18:40:19 +0800] - Listening
on /var/run/slapd-ABC-COM.socket for
LDAPI requests<br>
[26/Apr/2016:18:40:23 +0800]
NSMMReplicationPlugin - agmt="cn=<a
moz-do-not-send="true"
href="http://metocentral02.abc.com/"
target="_blank">meTocentral02.ABC.com</a>"
(central02:389): Replication bind with
GSSAPI auth resumed<br>
[26/Apr/2016:18:40:23 +0800]
NSMMReplicationPlugin - agmt="cn=<a
moz-do-not-send="true"
href="http://metocentral02.abc.com/"
target="_blank">meTocentral02.ABC.com</a>"
(central02:389): Missing data
encountered<br>
[26/Apr/2016:18:40:23 +0800] </p>
<div style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div bgcolor="#FFFFFF" text="#000000"> <br>
<br>
<div>On 29.04.2016 13:02, <a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a></a>
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi All:</div>
<div><br>
</div>
<div>Any method can fall back the
default ipa cert if I didn't
backup orginal?</div>
<div><br>
</div>
<div>Now the slapd and ipa cert
storage quite a mess so they
cant replicate even disabled
nsslapd:security to off</div>
<div><br>
</div>
<div><br>
</div>
<div>thx</div>
<div>Barry</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
Hello Barry,<br>
<br>
Can you provide more info?<br>
<br>
What is your IPA version, OS?<br>
What are the symptoms you are
experiencing?<br>
What do you mean by default ipa cert ?<br>
Can you provide logs from replicas?<br>
Can you provide `getcert list` command
output?<br>
Can you provide `ipactl status` from
both server?<br>
<br>
Replication uses GSSAPI, at least on
new IPA versions, I'm not sure if
certificates are involved in this.<br>
<br>
Martin<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>