[Freeipa-users] IPA not authenticating - SSSD issue maybe
Dmitri Pal
dpal at redhat.com
Tue Apr 16 01:21:57 UTC 2013
On 04/15/2013 08:41 PM, Christian Hernandez wrote:
> Yup, looks like replication is broken =\
>
> [root at ipa1.gln.4over.com <mailto:root at ipa1.gln.4over.com> ipa]#
> ipa-replica-manage disconnect ipa1.la3.4over.com
> <http://ipa1.la3.4over.com>
> Failed to get list of agreements from 'ipa1.la3.4over.com
> <http://ipa1.la3.4over.com>': Invalid credentials SASL(-13):
> authentication failure: GSSAPI Failure: gss_accept_sec_context
>
> [root at ipa1.gln.4over.com <mailto:root at ipa1.gln.4over.com> ipa]#
> ipa-replica-manage list ipa1.la3.4over.com <http://ipa1.la3.4over.com>
> Failed to get data from 'ipa1.la3.4over.com
> <http://ipa1.la3.4over.com>': Invalid credentials SASL(-13):
> authentication failure: GSSAPI Failure: gss_accept_sec_context
>
> [root at ipa1.gln.4over.com <mailto:root at ipa1.gln.4over.com> ipa]#
> ipa-replica-manage list
> ipa1.la3.4over.com <http://ipa1.la3.4over.com>: master
> ipa1.gln.4over.com <http://ipa1.gln.4over.com>: master
> ipa1.da2.4over.com <http://ipa1.da2.4over.com>: master
Do the machines resolve each other correctly?
>
>
> Thank you,
>
> Christian Hernandez
> 1225 Los Angeles Street
> Glendale, CA 91204
> Phone: 877-782-2737 ext. 4566
> Fax: 818-265-3152
> christianh at 4over.com <mailto:christianh at 4over.com>
> <mailto:christianh at 4over.com <mailto:christianh at 4over.com>>
> www.4over.com <http://www.4over.com/> <http://www.4over.com
> <http://www.4over.com/>>
>
>
> On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez
> <christianh at 4over.com <mailto:christianh at 4over.com>> wrote:
>
> Okay,
>
> So I tried to update to the newest version. Update went okay and
> users can authenticate (as far as I can tell)...
>
> But I think may be replication broke?
>
> [root at ipa1.da2.4over.com <mailto:root at ipa1.da2.4over.com> log]#
> ipa-replica-manage force-sync --from=ipa1.gln.4over.com
> <http://ipa1.gln.4over.com>
> Invalid password
>
> Any ideas?
>
>
> Thank you,
>
> Christian Hernandez
> 1225 Los Angeles Street
> Glendale, CA 91204
> Phone: 877-782-2737 ext. 4566
> Fax: 818-265-3152
> christianh at 4over.com <mailto:christianh at 4over.com>
> <mailto:christianh at 4over.com <mailto:christianh at 4over.com>>
> www.4over.com <http://www.4over.com/> <http://www.4over.com
> <http://www.4over.com/>>
>
>
> On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek <jhrozek at redhat.com
> <mailto:jhrozek at redhat.com>> wrote:
>
> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote:
> > There are some odd errors in ldap_child.log but it seems to
> cover a
> > later period than the other logs (not being able to bind
> using its
> > keytab is a bad thing).
> >
> > I think what you'll want to do, and this may be relatively
> tough, is
> > try to correlate these failures with the 389-ds access log
> and the
> > KDC logs to see if there are equivalent failures at around
> the same
> > times.
>
> I agree, the ldap_child failing usually indicates an issue
> with the
> keytab and/or the KDC. The ldap_child functionality is roughly
> equivalent to
> "kinit -k".
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130415/d7d371ea/attachment.htm>
More information about the Freeipa-users
mailing list