[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire
Martin Basti
mbasti at redhat.com
Mon May 2 10:28:53 UTC 2016
Hello,
Can you try to upgrade server to the same version?
You did not provided all information I requested.
Martin
On 29.04.2016 19:13, barrykfl at gmail.com wrote:
> server 1:
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> server2
>
> ipa-server-3.0.0-37.el6.x86_64
>
> 2016-04-30 1:10 GMT+08:00 <barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>>:
>
>
> ipa-server-3.0.0-37.el6.x86_64 << here
>
> 2016-04-29 19:36 GMT+08:00 Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>:
>
> Please keep, user-list in CC
>
> You did not send all information I requested.
>
> Please use `rpm -ql ipa-server` to get exact version number
>
>
> On 29.04.2016 13:32, barrykfl at gmail.com
> <mailto:barrykfl at gmail.com> wrote:
>>
>> Error.is from Gss api And i m thinkbif it relate cert issue.
>>
>> Server1> server 2 fail
>> Server 2 > server1 ok
>>
>> Freeipa 3.0 both
>>
>> slapd_ldap_sasl_interactive_bind - Error: could not perform
>> interactive bind for id [] mech [GSSAPI]: LDAP error -2
>> (Local error) (SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more
>> information (Credentials cache file '/tmp/krb5cc_492' not
>> found)) errno 0 (Success)
>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could
>> not perform interactive bind for id [] mech [GSSAPI]: error
>> -2 (Local error)
>> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin -
>> agmt="cn=meTocentral02.ABC.com
>> <http://metocentral02.abc.com/>" (central02:389): Replication
>> bind with GSSAPI auth failed: LDAP error -2 (Local error)
>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
>> failure. Minor code may provide more information (Credentials
>> cache file '/tmp/krb5cc_492' not found))
>> [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on
>> All Interfaces port 389 for LDAP requests
>> [26/Apr/2016:18:40:19 +0800] - Listening on
>> /var/run/slapd-ABC-COM.socket for LDAPI requests
>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin -
>> agmt="cn=meTocentral02.ABC.com
>> <http://metocentral02.abc.com/>" (central02:389): Replication
>> bind with GSSAPI auth resumed
>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin -
>> agmt="cn=meTocentral02.ABC.com
>> <http://metocentral02.abc.com/>" (central02:389): Missing
>> data encountered
>> [26/Apr/2016:18:40:23 +0800]
>>
>>
>>
>> On 29.04.2016 13:02, barrykfl at gmail.com
>> <mailto:barrykfl at gmail.com> wrote:
>>> Hi All:
>>>
>>> Any method can fall back the default ipa cert if I didn't
>>> backup orginal?
>>>
>>> Now the slapd and ipa cert storage quite a mess so they cant
>>> replicate even disabled nsslapd:security to off
>>>
>>>
>>> thx
>>> Barry
>>>
>>>
>> Hello Barry,
>>
>> Can you provide more info?
>>
>> What is your IPA version, OS?
>> What are the symptoms you are experiencing?
>> What do you mean by default ipa cert ?
>> Can you provide logs from replicas?
>> Can you provide `getcert list` command output?
>> Can you provide `ipactl status` from both server?
>>
>> Replication uses GSSAPI, at least on new IPA versions, I'm
>> not sure if certificates are involved in this.
>>
>> Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160502/5cc09e30/attachment.htm>
More information about the Freeipa-users
mailing list