[Freeipa-users] SASL(-13) authentication failure

Dmitri Pal dpal at redhat.com
Sat Feb 7 15:06:17 UTC 2015 

On 02/07/2015 02:22 AM, Bryan Pearson wrote:
> Okay, sorry for the messages. The original issue has been resolved, 
> one of the servers time was off.
>
> I am now having a problem similar to this: 
> https://bugzilla.redhat.com/show_bug.cgi?id=953653. My logs indicate 
> all the same issues.
> With IPA 3.0.0 and Centos 6.6 is this still a viable solution to the 
> problem?
Please start a new thread for a different question.
It seems that we were not able to reproduce it so it might be that the 
issue still there.
One of the problems can be the mismatch of the buffer sizes. See the bug.

>
> Bryan
>
> On Sat, Feb 7, 2015 at 12:17 AM, Bryan Pearson <bwp.pearson at gmail.com 
> <mailto:bwp.pearson at gmail.com>> wrote:
>
>     I did a bit more digging into the issue, and realized that the
>     ruv-id of ipa2 is different on only one of the servers of the 3. I
>     am imaging I will need to run clean-ruv on inconsistent node.
>
>     Bryan
>
>     On Fri, Feb 6, 2015 at 10:11 PM, Bryan Pearson
>     <bwp.pearson at gmail.com <mailto:bwp.pearson at gmail.com>> wrote:
>
>         Hello,
>
>         My IPA servers are currently saying:
>
>         "Failed to get data from 'hostname.lan': Invalid credentials
>         SASL(-13): authentication failure: GSSAPI Failure:
>         gss_accept_sec_context"
>
>         tail -f /var/log/dirsrv/slapd-HOSTNAME-LAN/errors
>
>         [06/Feb/2015:21:42:41 -0500] slapd_ldap_sasl_interactive_bind
>         - Error: could not perform interactive bind for id [] mech
>         [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13):
>         authentication failure: GSSAPI Failure:
>         gss_accept_sec_context) errno 0 (Success)
>         [06/Feb/2015:21:42:41 -0500] slapi_ldap_bind - Error: could
>         not perform interactive bind for id [] mech [GSSAPI]: error 49
>         (Invalid credentials)
>
>         We have 3 master replicas in operation. ipa2, ipa3, ipa4 and
>         ipa1 we are decommissioning. After losing the CA on 2 nodes,
>         we promoted ipa3 to master, and created a replica file, scped
>         it to ipa4, installed it, and on ipa4 created ipa2. Because of
>         design, 3 and 2 cant communicate with each other.
>
>         I just stopped dirsrv and pki-ca on ipa1, so its possible it
>         is creating issues.
>
>         I cant determine where the credentials or how to get them
>         changed as all the nodes are now having similar issues
>         replicating.
>
>         Bryan
>
>
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150207/dc6e8e28/attachment.htm>

More information about the Freeipa-users mailing list