[Freeipa-users] IPA not authenticating - SSSD issue maybe
Christian Hernandez
christianh at 4over.com
Tue Apr 16 02:11:09 UTC 2013
Looks like I've narrowed it down to...something...
[root at ipa1.la3.4over.com ~]# ipa-replica-manage list ipa1.gln.4over.com
Failed to get data from 'ipa1.gln.4over.com': Invalid credentials
SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
[root at ipa1.la3.4over.com ~]# ipa-replica-manage list ipa1.da2.4over.com
ipa1.gln.4over.com: replica
ipa1.la3.4over.com: replica
[root at ipa1.la3.4over.com ~]# ipa-replica-manage list $(hostname)
ipa1.da2.4over.com: replica
ipa1.gln.4over.com: replica
[root at ipa1.la3.4over.com ~]# rpm -qa |egrep '389|ipa'
ipa-admintools-3.0.0-26.el6_4.2.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-3.0.0-26.el6_4.2.x86_64
libipa_hbac-python-1.9.2-82.4.el6_4.x86_64
389-ds-base-libs-1.2.11.15-12.el6_4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
libipa_hbac-1.9.2-82.4.el6_4.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
389-ds-base-1.2.11.15-12.el6_4.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
Although when I try to remove the replication agreement...I can't =\
[root at ipa1.la3.4over.com ~]# ipa-replica-manage disconnect $(hostname)
ipa1.gln.4over.com
Failed to get list of agreements from 'ipa1.gln.4over.com': Invalid
credentials SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
Thank you,
Christian Hernandez
1225 Los Angeles Street
Glendale, CA 91204
Phone: 877-782-2737 ext. 4566
Fax: 818-265-3152
christianh at 4over.com <mailto:christianh at 4over.com>
www.4over.com <http://www.4over.com>
On Mon, Apr 15, 2013 at 6:58 PM, Christian Hernandez
<christianh at 4over.com>wrote:
> Yes; I verified that both forward and reverse DNS match on all nodes.
>
>
> Thank you,
>
> Christian Hernandez
> 1225 Los Angeles Street
> Glendale, CA 91204
> Phone: 877-782-2737 ext. 4566
> Fax: 818-265-3152
> christianh at 4over.com <mailto:christianh at 4over.com>
> www.4over.com <http://www.4over.com>
>
>
> On Mon, Apr 15, 2013 at 6:21 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 04/15/2013 08:41 PM, Christian Hernandez wrote:
>>
>> Yup, looks like replication is broken =\
>>
>> [root at ipa1.gln.4over.com ipa]# ipa-replica-manage disconnect
>> ipa1.la3.4over.com
>> Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid
>> credentials SASL(-13): authentication failure: GSSAPI Failure:
>> gss_accept_sec_context
>>
>> [root at ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com
>> Failed to get data from 'ipa1.la3.4over.com': Invalid credentials
>> SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
>>
>> [root at ipa1.gln.4over.com ipa]# ipa-replica-manage list
>> ipa1.la3.4over.com: master
>> ipa1.gln.4over.com: master
>> ipa1.da2.4over.com: master
>>
>>
>>
>> Do the machines resolve each other correctly?
>>
>>
>>
>>
>> Thank you,
>>
>> Christian Hernandez
>> 1225 Los Angeles Street
>> Glendale, CA 91204
>> Phone: 877-782-2737 ext. 4566
>> Fax: 818-265-3152
>> christianh at 4over.com <mailto:christianh at 4over.com>
>> www.4over.com <http://www.4over.com>
>>
>>
>> On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez <
>> christianh at 4over.com> wrote:
>>
>>> Okay,
>>>
>>> So I tried to update to the newest version. Update went okay and users
>>> can authenticate (as far as I can tell)...
>>>
>>> But I think may be replication broke?
>>>
>>> [root at ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from=
>>> ipa1.gln.4over.com
>>> Invalid password
>>>
>>> Any ideas?
>>>
>>>
>>> Thank you,
>>>
>>> Christian Hernandez
>>> 1225 Los Angeles Street
>>> Glendale, CA 91204
>>> Phone: 877-782-2737 ext. 4566
>>> Fax: 818-265-3152
>>> christianh at 4over.com <mailto:christianh at 4over.com>
>>> www.4over.com <http://www.4over.com>
>>>
>>>
>>> On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek <jhrozek at redhat.com>wrote:
>>>
>>>> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote:
>>>> > There are some odd errors in ldap_child.log but it seems to cover a
>>>> > later period than the other logs (not being able to bind using its
>>>> > keytab is a bad thing).
>>>> >
>>>> > I think what you'll want to do, and this may be relatively tough, is
>>>> > try to correlate these failures with the 389-ds access log and the
>>>> > KDC logs to see if there are equivalent failures at around the same
>>>> > times.
>>>>
>>>> I agree, the ldap_child failing usually indicates an issue with the
>>>> keytab and/or the KDC. The ldap_child functionality is roughly
>>>> equivalent to
>>>> "kinit -k".
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130415/d76c2f1e/attachment.htm>
More information about the Freeipa-users
mailing list