[Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
David Copperfield
cao2dan at yahoo.com
Tue May 8 19:20:21 UTC 2012
HI Simo and all,
Thanks for your reply.
do you mean restarting ipa service on ipa master like 'service ipa restart'? or run 'kdestroy' on ipamaster to remove kerberos tickets? It will be great if you could elaborate on this: like which IPA replica Kerberos principal, replica Kerberos tickets are involved, and where they are stored.
Thanks.
--David
-
________________________________
From: Simo Sorce <simo at redhat.com>
To: David Copperfield <cao2dan at yahoo.com>
Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Tuesday, May 8, 2012 6:08 AM
Subject: Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote:
> I have a IPA replica server with disk problems, and then it is
> reimaged and rebuild. But when the IPA replica function is rebuilt, it
> reports the following problem:
>
>
> [root at ipareplica02 ipa]# ipa-replica-install
> --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg
>
> ...
> [21/29]: setting up initial replication
> Starting replication, please wait until this has completed.
> [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP
> error: Invalid credentials]
> ...
>
>
> Before I run the replica rebuilding step on IPA replica, I already run
> 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master,
> and delete the host entry for ipareplica02 as well.
>
>
> Did I missed any steps above? Please help. Thanks.
Due to the way kerberos ticket are built you need to restart the master
this replica was replicating to before you rebuild a replica with the
exact same name.
This is because krb tickets are cached but you will change the long term
key with a full reinstall, so the current master will have a ticket the
replica cannot decrypt.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120508/b06a198e/attachment.htm>
More information about the Freeipa-users
mailing list