[Freeipa-users] re-initialize replica
Martin Kosek
mkosek at redhat.com
Mon Oct 5 10:40:42 UTC 2015
On 10/02/2015 06:00 PM, Andrew E. Bruno wrote:
> On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote:
>> What's the best way to re-initialize a replica?
>>
>> Suppose one of your replicas goes south.. is there a command to tell
>> that replicate to re-initialize from the first master (instead of
>> removing/re-adding the replica from the topology)?
>
> Found the command I was looking for:
> ipa-replica-manage re-initialize --from xxx
>
> However, one of our replicates is down and can't seem to re-initialize
> it. Starting ipa fails (via systemctl restart ipa):
>
> ipactl status
> Directory Service: RUNNING
> krb5kdc Service: STOPPED
> kadmin Service: STOPPED
> named Service: STOPPED
> ipa_memcached Service: STOPPED
> httpd Service: STOPPED
> pki-tomcatd Service: STOPPED
> ipa-otpd Service: STOPPED
> ipa: INFO: The ipactl command was successful
>
>
> Errors from the dirsrv show:
>
> : GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
> [02/Oct/2015:11:45:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
> [02/Oct/2015:11:50:05 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server at realm] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
> [02/Oct/2015:11:50:05 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
> [02/Oct/2015:11:50:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
>
>
> Attempting to re-initialize fails:
>
> ipa-replica-manage re-initialize --from master
> Connection timed out.
>
>
> I verified time is in sync and DNS forward/reverse resolution is working.
>
> Any pointers on what else to try?
>
> Thanks!
>
> --Andrew
Given that your Kerberos server instance is down, I would start investigating
Kerberos logs to see why.
More information about the Freeipa-users
mailing list