[Freeipa-users] EXTERNAL: Re: IPA Replica Issues
Mark Heslin
mheslin at redhat.com
Mon Jul 28 18:45:24 UTC 2014
On 07/28/2014 02:39 PM, Joseph, Matthew (EXP) wrote:
>
> Weird, when I do kdestroy it prompts me for a password to do the
> ipa-replica-manage list command and I supply the password but it
> states invaloud crednetials.
>
> When I do kinit and supply the password it works.
>
> They use the same account/password don't they?
>
Actually, I think not :-) If I do not have a ticket (admin) then it
prompts for the Directory Manager password
and that depends on how you've set it during the installation. If you
get a ticket as admin, the it doesn't prompt
for the Directory Manager password - doesn't need it as admin has
broader permissions.
If you have no ticket, and is failing on the Directory Manager password
when prompted, then Directory Manager
must have a different password.
-m
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Mark Heslin
> *Sent:* Monday, July 28, 2014 3:27 PM
> *To:* freeipa-users at redhat.com
> *Subject:* EXTERNAL: Re: [Freeipa-users] IPA Replica Issues
>
> On 07/28/2014 02:12 PM, Mark Heslin wrote:
>
> On 07/28/2014 12:46 PM, Joseph, Matthew (EXP) wrote:
>
> Hello,
>
> I'm currently running into some issues with my replica server.
>
> I noticed it wasn't getting any updates from the master server
> so I tried to do a force-sync but it states that it is an
> "invalid password" which I know it is not the case.
>
> I tried doing an ipa-replica-manager list replica_server but
> it gives me the SASL(-13) authentication failure: GSSAPI
> Failure: gss_accept_sec_context, 'desc' Invalid Credentials
>
> I've tried doing a kdestroy and have it prompt me for the
> password but again, same error.
>
> Any idea what this would be?
>
>
> Thanks,
>
> Matt
>
>
>
> Joe,
>
> Are you actually getting a valid Kerberos ticket - on the surface
> it would not appear so.
>
> Also, the command is 'ipa-replica-manage list':
>
> Example:
> # ipa-replica-manage list
> idm-srv1.example.com: master
> idm-srv2.example.com: master
>
> -m
>
>
>
> Joe,
>
> I forgot to add, you should be able to do this without a Kerberos ticket
> but you'll need to specify the Directory Mnager password:
>
> Example:
> # ipa-replica-manage list
> Directory Manager password: ********
>
> idm-srv1.example.com: master
> idm-srv2.example.com: master
> # klist
> klist: No credentials cache found (ticket cache KEYRING:persistent:0:0)
>
> I'm runnning RHEL 7 - not sure whether or not this behavior is different
> on earlier versions.
>
> -m
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140728/cd27cf19/attachment.htm>
More information about the Freeipa-users
mailing list