[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire
Martin Basti
mbasti at redhat.com
Fri Apr 29 11:36:20 UTC 2016
Please keep, user-list in CC
You did not send all information I requested.
Please use `rpm -ql ipa-server` to get exact version number
On 29.04.2016 13:32, barrykfl at gmail.com wrote:
>
> Error.is from Gss api And i m thinkbif it relate cert issue.
>
> Server1> server 2 fail
> Server 2 > server1 ok
>
> Freeipa 3.0 both
>
> slapd_ldap_sasl_interactive_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error)
> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Credentials cache file
> '/tmp/krb5cc_492' not found)) errno 0 (Success)
> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin -
> agmt="cn=meTocentral02.ABC.com <http://metocentral02.abc.com/>"
> (central02:389): Replication bind with GSSAPI auth failed: LDAP error
> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Credentials
> cache file '/tmp/krb5cc_492' not found))
> [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [26/Apr/2016:18:40:19 +0800] - Listening on
> /var/run/slapd-ABC-COM.socket for LDAPI requests
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin -
> agmt="cn=meTocentral02.ABC.com <http://metocentral02.abc.com/>"
> (central02:389): Replication bind with GSSAPI auth resumed
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin -
> agmt="cn=meTocentral02.ABC.com <http://metocentral02.abc.com/>"
> (central02:389): Missing data encountered
> [26/Apr/2016:18:40:23 +0800]
>
>
>
> On 29.04.2016 13:02, barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
>> Hi All:
>>
>> Any method can fall back the default ipa cert if I didn't backup orginal?
>>
>> Now the slapd and ipa cert storage quite a mess so they cant
>> replicate even disabled nsslapd:security to off
>>
>>
>> thx
>> Barry
>>
>>
> Hello Barry,
>
> Can you provide more info?
>
> What is your IPA version, OS?
> What are the symptoms you are experiencing?
> What do you mean by default ipa cert ?
> Can you provide logs from replicas?
> Can you provide `getcert list` command output?
> Can you provide `ipactl status` from both server?
>
> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
> certificates are involved in this.
>
> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/fed806cc/attachment.htm>
More information about the Freeipa-users
mailing list