[Freeipa-users] IPA not authenticating - SSSD issue maybe

Christian Hernandez christianh at 4over.com
Tue Apr 16 00:41:37 UTC 2013 

Yup, looks like replication is broken =\

[root at ipa1.gln.4over.com ipa]# ipa-replica-manage disconnect
ipa1.la3.4over.com
Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid
credentials SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context

[root at ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com
Failed to get data from 'ipa1.la3.4over.com': Invalid credentials
SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context

[root at ipa1.gln.4over.com ipa]# ipa-replica-manage list
ipa1.la3.4over.com: master
ipa1.gln.4over.com: master
ipa1.da2.4over.com: master


Thank you,

Christian Hernandez
1225 Los Angeles Street
Glendale, CA 91204
Phone: 877-782-2737 ext. 4566
Fax: 818-265-3152
christianh at 4over.com <mailto:christianh at 4over.com>
www.4over.com <http://www.4over.com>


On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez
<christianh at 4over.com>wrote:

> Okay,
>
> So I tried to update to the newest version. Update went okay and users can
> authenticate (as far as I can tell)...
>
> But I think may be replication broke?
>
> [root at ipa1.da2.4over.com log]# ipa-replica-manage force-sync  --from=
> ipa1.gln.4over.com
> Invalid password
>
> Any ideas?
>
>
> Thank you,
>
> Christian Hernandez
> 1225 Los Angeles Street
> Glendale, CA 91204
> Phone: 877-782-2737 ext. 4566
> Fax: 818-265-3152
> christianh at 4over.com <mailto:christianh at 4over.com>
> www.4over.com <http://www.4over.com>
>
>
> On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote:
>> > There are some odd errors in ldap_child.log but it seems to cover a
>> > later period than the other logs (not being able to bind using its
>> > keytab is a bad thing).
>> >
>> > I think what you'll want to do, and this may be relatively tough, is
>> > try to correlate these failures with the 389-ds access log and the
>> > KDC logs to see if there are equivalent failures at around the same
>> > times.
>>
>> I agree, the ldap_child failing usually indicates an issue with the
>> keytab and/or the KDC. The ldap_child functionality is roughly equivalent
>> to
>> "kinit -k".
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130415/c9b6d049/attachment.htm>

More information about the Freeipa-users mailing list