[Freeipa-users] Replicas in a state of confusion
Rich Megginson
rmeggins at redhat.com
Thu Feb 9 21:59:13 UTC 2012
On 02/09/2012 02:25 PM, Ian Levesque wrote:
> On Feb 9, 2012, at 1:57 PM, Simo Sorce wrote:
>
>> On Tue, 2012-02-07 at 23:19 -0500, Ian Levesque wrote:
>>
>>> On the replica:
>>>
>>> [21/29]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>> [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 -
>>> System error]
>>> creation of replica failed: Failed to start replication
>>>
>>> On the "primary":
>>>
>>> slapd_ldap_sasl_interactive_bind - Error: could not perform
>>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
>>> Minor code may provide more information (Cannot contact any KDC for
>>> requested realm))
>>>
>>> slapi_ldap_bind - Error: could not perform interactive bind for id []
>>> mech [GSSAPI]: error -2 (Local error)
>>>
>>> `ipa-replica-manage list` on the primary still lists both...
>>>
>>> sbgrid-directory.in.hwlab: master
>>> sbgrid-directory-replica.in.hwlab: master
>>>
>>> Thanks for your continued interest.
>> I think you failed to properly clean=up before reinstalling the replica.
>>
>> On the replica make sure you run:
>> ipa-server-install --uninstall
>>
>> On the primary:
>> ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab
>>
>> You will have to force because you already removed the replica.
>>
>> Once you do that you can generate a new replica file for the replica and
>> retry to set up replication.
>>
>> Let me know if you encounter any other error once you have done that.
> I tried what you suggested and today, the replication did complete.
>
> That said, there were a bunch of errors on the initial master, including:
>
> id2entry - str2entry returned NULL for id 12, string="rdn"
> _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN
> (snip - continues for each automountmapname cn entry)
What version of 389-ds-base are you running? rpm -qi 389-ds-base
> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20
> (repeated several times)
We believe this is benign.
> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)
> slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)
> (repeated several times)
>
> NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)
err=49 either means the kerberos credentials are incorrect, or the sasl
mapping of the principal to the DN of the entry failed
> And ~ every 5 minutes, I see the familiar-by-now:
>
> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)
> slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)
>
> The replica reports both masters when I run `ipa-replica-manage list`, but the primary master only lists itself.
>
> Things /appear/ to be working correctly, but none of this is making me feel very confident...
>
> Thanks,
> Ian
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list