[Freeipa-users] Replicas in a state of confusion
Ian Levesque
ian at crystal.harvard.edu
Tue Feb 7 20:53:05 UTC 2012
On Feb 7, 2012, at 3:39 PM, Rob Crittenden wrote:
>>> <snip>
>>> Strange. Is your 389-ds instance running? If so can you run this query:
>>>
>>> ldapsearch -x -b 'cn=services,cn=accounts,dc=sbgrid,dc=org' '(krbprincipalname=*sbgrid-directory*)'
>>>
>>> I have the feeling that the principals for your IPA server have gone away.
>>
>> Rather than post all the output, I filtered on the krbPrincipalName attribute. Let me know if you want to see more:
>>
>> dn: krbprincipalname=dogtagldap/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=servic
>> es,cn=accounts,dc=sbgrid,dc=org
>> krbPrincipalName: dogtagldap/sbgrid-directory.in.hwlab at SBGRID.ORG
>>
>> dn: krbprincipalname=ldap/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=services,cn=
>> accounts,dc=sbgrid,dc=org
>> krbPrincipalName: ldap/sbgrid-directory.in.hwlab at SBGRID.ORG
>>
>> dn: krbprincipalname=HTTP/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=services,cn=
>> accounts,dc=sbgrid,dc=org
>> krbPrincipalName: HTTP/sbgrid-directory.in.hwlab at SBGRID.ORG
>>
>>
>>
>>> Note that when removing a replica it is often necessary to restart its replication partners because sometimes there are old tickets cached. I've never seen a case where principals were actually removed though.
>>>
>>> What version of IPA are you running, on what distro?
>>
>>
>> CentOS 6.2
>> ipa-server-2.1.3-9.el6.x86_64
>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64
>>
>> Thanks,
>> Ian
>
> Ok, this looks good. Is the krb5kdc process running?
It is indeed:
[root at sbgrid-directory dirsrv]# kinit ian
Password for ian at SBGRID.ORG:
[root at sbgrid-directory dirsrv]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ian at SBGRID.ORG
Valid starting Expires Service principal
02/07/12 15:51:02 02/08/12 15:51:00 krbtgt/SBGRID.ORG at SBGRID.ORG
~irl
More information about the Freeipa-users
mailing list