[Freeipa-users] re-initialize replica

Andrew E. Bruno aebruno2 at buffalo.edu
Fri Oct 2 16:00:59 UTC 2015 

On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote:
> What's the best way to re-initialize a replica? 
> 
> Suppose one of your replicas goes south.. is there a command to tell
> that replicate to re-initialize from the first master (instead of
> removing/re-adding the replica from the topology)?

Found the command I was looking for:
   ipa-replica-manage re-initialize --from xxx

However, one of our replicates is down and can't seem to re-initialize
it. Starting ipa fails (via systemctl restart ipa):

ipactl status
Directory Service: RUNNING
krb5kdc Service: STOPPED
kadmin Service: STOPPED
named Service: STOPPED
ipa_memcached Service: STOPPED
httpd Service: STOPPED
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa: INFO: The ipactl command was successful


Errors from the dirsrv show:

: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[02/Oct/2015:11:45:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[02/Oct/2015:11:50:05 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server at realm] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[02/Oct/2015:11:50:05 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[02/Oct/2015:11:50:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)


Attempting to re-initialize fails:

ipa-replica-manage re-initialize --from master
Connection timed out.


I verified time is in sync and DNS forward/reverse resolution is working.

Any pointers on what else to try?

Thanks!

--Andrew

More information about the Freeipa-users mailing list