<div dir="ltr"><div><br> Hello Barry,<br><br> Can you provide more info?<br><br> What is your IPA version, OS?</div><div><br></div><div>CENTOS 6.5 </div><div><br></div><div>server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64</div><div>server 2 - ipa-server-3.0.0-37.el6.x86_64<br><br></div><div>What are the symptoms you are experiencing?<br></div> <div><br></div><div>server1 's update not transfer to server 2 but server 2 can transfer to server 1 even cert expired</div><div><br></div><div>What do you mean by default ipa cert ? if cert is issue then fall back to orginal not expire self sign cert.<br> </div><div>Can you provide logs from replicas?<br> </div><div><br></div><div>From server 2</div><div><br></div><div>[09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)) errno 0 (Success)<br>[09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)<br></div><div><br></div><div>Can you provide `getcert list` command output?<br> </div><div><br></div><div>Serevr 1 - Number of certificates and requests being tracked: 0. < NO record</div><div>Server 2- </div><div><br></div><div>Number of certificates and requests being tracked: 3.<br>Request ID '20140106083849':<br> status: NEED_CSR_GEN_TOKEN<br> stuck: yes<br> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB'<br> CA: IPA<br> issuer: CN=Certificate Authority,O=<a href="http://ABC.COM">ABC.COM</a><br> subject: CN=<a href="http://central02.ABC.com">central02.ABC.com</a>,O=<a href="http://ABC.COM">ABC.COM</a><br> expires: 2015-12-19 06:40:44 UTC<br> eku: id-kp-ABCAuth,id-kp-clientAuth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM<br> track: yes<br> auto-renew: yes<br>Request ID '20140106083931':<br> status: NEED_CSR_GEN_TOKEN<br> stuck: yes<br> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB'<br> CA: IPA<br> issuer: CN=Certificate Authority,O=<a href="http://ABC.COM">ABC.COM</a><br> subject: CN=<a href="http://central02.ABC.com">central02.ABC.com</a>,O=<a href="http://ABC.COM">ABC.COM</a><br> expires: 2015-12-19 06:40:46 UTC<br> eku: id-kp-ABCAuth,id-kp-clientAuth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br> track: yes<br> auto-renew: yes<br>Request ID '20140106083944':<br> status: NEED_CSR_GEN_TOKEN<br> stuck: yes<br> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'<br> CA: dogtag-ipa-retrieve-agent-submit<br> issuer: CN=Certificate Authority,O=<a href="http://ABC.COM">ABC.COM</a><br> subject: CN=IPA RA,O=<a href="http://ABC.COM">ABC.COM</a><br> expires: 2015-11-12 08:41:45 UTC<br> eku: id-kp-ABCAuth,id-kp-clientAuth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br> track: yes<br> auto-renew: yes<br></div><div><br></div><div><br></div><div>Can you provide `ipactl status` from both server?<br></div><div><br></div><div>Server1 - Directory Service: RUNNING<br>KDC Service: RUNNING<br>KPASSWD Service: RUNNING<br>MEMCACHE Service: RUNNING<br>HTTP Service: RUNNING<br>CA Service: RUNNING</div><div><br></div><div><br></div><div>Server 2 = <br></div><div><br>Directory Service: RUNNING<br>KDC Service: RUNNING<br>KPASSWD Service: RUNNING<br>MEMCACHE Service: RUNNING<br>HTTP Service: RUNNING<br></div><div><br></div><div>Now don't want any cert ,just GASSAPI work...</div><div><br></div><div><br>Replication uses GSSAPI, at least on new IPA versions, I'm not sure if certificates are involved in this.<br><br> Martin<br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-05-02 18:28 GMT+08:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
Can you try to upgrade server to the same version?<br>
<br>
You did not provided all information I requested.<span class="HOEnZb"><font color="#888888"><br>
<br>
Martin</font></span><div><div class="h5"><br>
<br>
<div>On 29.04.2016 19:13, <a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>server 1:<br>
ipa-server-3.0.0-26.el6_4.4.x86_64</div>
<div><br>
</div>
<div>server2</div>
<div><br>
</div>
<div>ipa-server-3.0.0-37.el6.x86_64<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-04-30 1:10 GMT+08:00 <span dir="ltr"><<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div dir="ltr"><br>
ipa-server-3.0.0-37.el6.x86_64 << here<br>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-04-29 19:36 GMT+08:00
Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank"><a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></a></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div bgcolor="#FFFFFF" text="#000000"> Please
keep, user-list in CC<br>
<br>
You did not send all information I requested.<br>
<br>
Please use `rpm -ql ipa-server` to get exact
version number
<div>
<div><br>
<br>
<div>On 29.04.2016 13:32, <a href="mailto:barrykfl@gmail.com" target="_blank"><a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
wrote:<br>
</a></div>
<blockquote type="cite">
<p dir="ltr">Error.is from Gss api And i m
thinkbif it relate cert issue.</p>
<p dir="ltr">Server1> server 2 fail<br>
Server 2 > server1 ok</p>
<p dir="ltr">Freeipa 3.0 both</p>
<p dir="ltr">slapd_ldap_sasl_interactive_bind
- Error: could not perform interactive
bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more
information (Credentials cache file
'/tmp/krb5cc_492' not found)) errno 0
(Success)<br>
[26/Apr/2016:18:40:19 +0800]
slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech
[GSSAPI]: error -2 (Local error)<br>
[26/Apr/2016:18:40:19 +0800]
NSMMReplicationPlugin - agmt="cn=<a href="http://metocentral02.abc.com/" target="_blank">meTocentral02.ABC.com</a>"
(central02:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local
error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information
(Credentials cache file
'/tmp/krb5cc_492' not found))<br>
[26/Apr/2016:18:40:19 +0800] - slapd
started. Listening on All Interfaces
port 389 for LDAP requests<br>
[26/Apr/2016:18:40:19 +0800] - Listening
on /var/run/slapd-ABC-COM.socket for
LDAPI requests<br>
[26/Apr/2016:18:40:23 +0800]
NSMMReplicationPlugin - agmt="cn=<a href="http://metocentral02.abc.com/" target="_blank">meTocentral02.ABC.com</a>"
(central02:389): Replication bind with
GSSAPI auth resumed<br>
[26/Apr/2016:18:40:23 +0800]
NSMMReplicationPlugin - agmt="cn=<a href="http://metocentral02.abc.com/" target="_blank">meTocentral02.ABC.com</a>"
(central02:389): Missing data
encountered<br>
[26/Apr/2016:18:40:23 +0800] </p>
<div style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div bgcolor="#FFFFFF" text="#000000"> <br>
<br>
<div>On 29.04.2016 13:02, <a href="mailto:barrykfl@gmail.com" target="_blank"><a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
wrote:<br>
</a></div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi All:</div>
<div><br>
</div>
<div>Any method can fall back the
default ipa cert if I didn't
backup orginal?</div>
<div><br>
</div>
<div>Now the slapd and ipa cert
storage quite a mess so they
cant replicate even disabled
nsslapd:security to off</div>
<div><br>
</div>
<div><br>
</div>
<div>thx</div>
<div>Barry</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
Hello Barry,<br>
<br>
Can you provide more info?<br>
<br>
What is your IPA version, OS?<br>
What are the symptoms you are
experiencing?<br>
What do you mean by default ipa cert ?<br>
Can you provide logs from replicas?<br>
Can you provide `getcert list` command
output?<br>
Can you provide `ipactl status` from
both server?<br>
<br>
Replication uses GSSAPI, at least on
new IPA versions, I'm not sure if
certificates are involved in this.<br>
<br>
Martin<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>