[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire
barrykfl at gmail.com
barrykfl at gmail.com
Fri Apr 29 17:10:52 UTC 2016
ipa-server-3.0.0-37.el6.x86_64 << here
2016-04-29 19:36 GMT+08:00 Martin Basti <mbasti at redhat.com>:
> Please keep, user-list in CC
>
> You did not send all information I requested.
>
> Please use `rpm -ql ipa-server` to get exact version number
>
>
> On 29.04.2016 13:32, barrykfl at gmail.com wrote:
>
> Error.is from Gss api And i m thinkbif it relate cert issue.
>
> Server1> server 2 fail
> Server 2 > server1 ok
>
> Freeipa 3.0 both
>
> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Credentials cache file '/tmp/krb5cc_492' not
> found)) errno 0 (Success)
> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389):
> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
> code may provide more information (Credentials cache file '/tmp/krb5cc_492'
> not found))
> [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket
> for LDAPI requests
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389):
> Replication bind with GSSAPI auth resumed
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389):
> Missing data encountered
> [26/Apr/2016:18:40:23 +0800]
>
>
> On 29.04.2016 13:02, barrykfl at gmail.com wrote:
>
> Hi All:
>
> Any method can fall back the default ipa cert if I didn't backup orginal?
>
> Now the slapd and ipa cert storage quite a mess so they cant replicate
> even disabled nsslapd:security to off
>
>
> thx
> Barry
>
>
> Hello Barry,
>
> Can you provide more info?
>
> What is your IPA version, OS?
> What are the symptoms you are experiencing?
> What do you mean by default ipa cert ?
> Can you provide logs from replicas?
> Can you provide `getcert list` command output?
> Can you provide `ipactl status` from both server?
>
> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
> certificates are involved in this.
>
> Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160430/1611115d/attachment.htm>
More information about the Freeipa-users
mailing list