[Freeipa-users] IPA Query Tuning and a Recovery Question
Charlie Derwent
shelltoesuperstar at gmail.com
Wed Sep 25 22:00:51 UTC 2013
On Mon, Sep 16, 2013 at 3:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Rich Megginson wrote:
>
>> On 09/16/2013 03:21 AM, Charlie Derwent wrote:
>>
>>> Hi
>>> Update on the errors
>>> kinit charlesd
>>> kinit: Generic error (see e-text) while getting initial credentials
>>> krb5kdc.log - LOOKING_UP_CLIENT: charlesd at EXAMPLE.COM
>>> <mailto:charlesd at EXAMPLE.COM> for krbtg/EXAMPLE.COM at EXAMPLE.COM
>>> <mailto:EXAMPLE.COM at EXAMPLE.**COM <EXAMPLE.COM at EXAMPLE.COM>>, Server
>>> Error
>>>
>>> Starting the IPA service (dirsrv in particular) gives
>>> Failed to read data from Directory Service: Failed to get list of
>>> services to probe status!
>>> Configured hostname 'ipa3.example.com <http://ipa3.example.com>'
>>>
>>> doesn't match any master server in LDAP:
>>> No master found because of error: {'matched': dc=example,dc=com',
>>> 'desc': 'No such object'}
>>> Shutting down
>>> The errors log has a load of different services schema-compat-plugin.
>>> dna-plugin, ipalockout_preop/postop all complaining in one way or
>>> another about being unable to retrieve entries or no entries being set
>>> up.
>>>
>>
>> I think you'll have to use the workaround where you change replication
>> to use simple bind in order to initialize the consumer, then switch back
>> to sasl/gssapi.
>>
>> Simo/Rob - which ticket was this? Does freeipa.org have the workaround?
>>
>
> http://freeipa.org/page/**TroubleshootingGuide#Replica_**Re-Initialization<http://freeipa.org/page/TroubleshootingGuide#Replica_Re-Initialization>
>
> Sorry I hate leaving threads like this unresolved. So I had a go
implementing the changes as shown above and I can see how and why it should
have worked but whenever I tried to reinitialise from the remote server it
still didn't load so I uninstalled the server removed the replication
agreements by force and started from scratch and it's all good now.
"You might want to edit the line on the link so "nsSaslMapFilterTemplate:
(krbPrincipalName=&@IDM.LAB.BOS.REDHAT.COM)" reads
"nsSaslMapFilterTemplate: (krbPrincipalName=&@$REALM)" but it's kind of
obvious anyway.
Thanks for the help
Charlie
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130925/dc9e990d/attachment.htm>
More information about the Freeipa-users
mailing list