[Freeipa-users] EXTERNAL: Re: IPA Replica Issues

Mon Jul 28 18:45:24 UTC 2014

On 07/28/2014 02:39 PM, Joseph, Matthew (EXP) wrote:
>
> Weird, when I do kdestroy it prompts me for a password to do the 
> ipa-replica-manage list command and I supply the password but it 
> states invaloud crednetials.
>
> When I do kinit and supply the password it works.
>
> They use the same account/password don't they?
>
Actually, I think not :-) If I do not have a ticket (admin) then it 
prompts for the Directory Manager password
and that depends on how you've set it during the installation. If you 
get a ticket as admin, the it doesn't prompt
for the Directory Manager password - doesn't need it as admin has 
broader permissions.

If you have no ticket, and is failing on the Directory Manager password 
when prompted, then Directory Manager
must have a different password.

-m

> *From:*freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Mark Heslin
> *Sent:* Monday, July 28, 2014 3:27 PM
> *To:* freeipa-users at redhat.com
> *Subject:* EXTERNAL: Re: [Freeipa-users] IPA Replica Issues
>
> On 07/28/2014 02:12 PM, Mark Heslin wrote:
>
>     On 07/28/2014 12:46 PM, Joseph, Matthew (EXP) wrote:
>
>         Hello,
>
>         I'm currently running into some issues with my replica server.
>
>         I noticed it wasn't getting any updates from the master server
>         so I tried to do a force-sync but it states that it is an
>         "invalid password" which I know it is not the case.
>
>         I tried doing an ipa-replica-manager list replica_server but
>         it gives me the SASL(-13) authentication failure: GSSAPI
>         Failure: gss_accept_sec_context, 'desc' Invalid Credentials
>
>         I've tried doing a kdestroy and have it prompt me for the
>         password but again, same error.
>
>         Any idea what this would be?
>
>
>         Thanks,
>
>         Matt
>
>
>
>     Joe,
>
>     Are you actually getting a valid Kerberos ticket - on the surface
>     it would not appear so.
>
>     Also, the command is 'ipa-replica-manage list':
>
>     Example:
>       # ipa-replica-manage list
>       idm-srv1.example.com: master
>       idm-srv2.example.com: master
>
>     -m
>
>
>
> Joe,
>
> I forgot to add, you should be able to do this without a Kerberos ticket
> but you'll need to specify the Directory Mnager password:
>
> Example:
>   #  ipa-replica-manage list
>   Directory Manager password: ********
>
>   idm-srv1.example.com: master
>   idm-srv2.example.com: master
>   # klist
>   klist: No credentials cache found (ticket cache KEYRING:persistent:0:0)
>
> I'm runnning RHEL 7 - not sure whether or not this behavior is different
> on earlier versions.
>
> -m
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140728/cd27cf19/attachment.htm>