[Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
Rob Crittenden
rcritten at redhat.com
Tue May 8 13:36:51 UTC 2012
Simo Sorce wrote:
> On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote:
>> I have a IPA replica server with disk problems, and then it is
>> reimaged and rebuild. But when the IPA replica function is rebuilt, it
>> reports the following problem:
>>
>>
>> [root at ipareplica02 ipa]# ipa-replica-install
>> --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg
>>
>> ...
>> [21/29]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP
>> error: Invalid credentials]
>> ...
>>
>>
>> Before I run the replica rebuilding step on IPA replica, I already run
>> 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master,
>> and delete the host entry for ipareplica02 as well.
>>
>>
>> Did I missed any steps above? Please help. Thanks.
>
> Due to the way kerberos ticket are built you need to restart the master
> this replica was replicating to before you rebuild a replica with the
> exact same name.
> This is because krb tickets are cached but you will change the long term
> key with a full reinstall, so the current master will have a ticket the
> replica cannot decrypt.
>
> Simo.
>
The connect/disconnect commands for ipa-replica-manage are used to
manage the replication agreements between masters. To completely remove
a master you want the delete command. We improved the man page
documentation of this a bit in the 2.2. release.
rob
More information about the Freeipa-users
mailing list