[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

barrykfl at gmail.com barrykfl at gmail.com
Mon May 9 04:15:45 UTC 2016 

 Hello Barry,

Can you provide more info?

What is your IPA version, OS?

CENTOS 6.5

server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64
server 2 - ipa-server-3.0.0-37.el6.x86_64

What are the symptoms you are experiencing?

server1 's update not transfer to server 2 but server 2 can transfer to
server 1 even cert expired

What do you mean by default ipa cert ? if cert is issue then fall back to
orginal not expire self sign cert.

Can you provide logs from replicas?

>From server 2

[09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49
(Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Unknown error))
errno 0 (Success)
[09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)

Can you provide `getcert list` command output?

Serevr 1 -  Number of certificates and requests being tracked: 0.  < NO
record
Server 2-

Number of certificates and requests being tracked: 3.
Request ID '20140106083849':
        status: NEED_CSR_GEN_TOKEN
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=ABC.COM <http://abc.com/>
        subject: CN=central02.ABC.com <http://central02.abc.com/>,O=ABC.COM
<http://abc.com/>
        expires: 2015-12-19 06:40:44 UTC
        eku: id-kp-ABCAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM
        track: yes
        auto-renew: yes
Request ID '20140106083931':
        status: NEED_CSR_GEN_TOKEN
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=ABC.COM <http://abc.com/>
        subject: CN=central02.ABC.com <http://central02.abc.com/>,O=ABC.COM
<http://abc.com/>
        expires: 2015-12-19 06:40:46 UTC
        eku: id-kp-ABCAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
Request ID '20140106083944':
        status: NEED_CSR_GEN_TOKEN
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
        CA: dogtag-ipa-retrieve-agent-submit
        issuer: CN=Certificate Authority,O=ABC.COM <http://abc.com/>
        subject: CN=IPA RA,O=ABC.COM <http://abc.com/>
        expires: 2015-11-12 08:41:45 UTC
        eku: id-kp-ABCAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes


Can you provide `ipactl status` from both server?

Server1 - Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING


Server 2 =

Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING

Now don't want any cert ,just GASSAPI work...

2016-05-02 18:28 GMT+08:00 Martin Basti <mbasti at redhat.com>:

> Hello,
>
> Can you try to upgrade server to the same version?
>
> You did not provided all information I requested.
>
> Martin
>
>
> On 29.04.2016 19:13, barrykfl at gmail.com wrote:
>
> server 1:
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> server2
>
> ipa-server-3.0.0-37.el6.x86_64
>
> 2016-04-30 1:10 GMT+08:00 <barrykfl at gmail.com>:
>
>>
>> ipa-server-3.0.0-37.el6.x86_64  << here
>>
>> 2016-04-29 19:36 GMT+08:00 Martin Basti <mbasti at redhat.com>:
>>
>>> Please keep, user-list in CC
>>>
>>> You did not send all information I requested.
>>>
>>> Please use `rpm -ql ipa-server` to get exact version number
>>>
>>>
>>> On 29.04.2016 13:32, barrykfl at gmail.com wrote:
>>>
>>> Error.is from Gss api And i m thinkbif it relate cert issue.
>>>
>>> Server1> server 2 fail
>>> Server 2   > server1 ok
>>>
>>> Freeipa 3.0  both
>>>
>>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
>>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
>>> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>>> provide more information (Credentials cache file '/tmp/krb5cc_492' not
>>> found)) errno 0 (Success)
>>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
>>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>>> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
>>> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389):
>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
>>> code may provide more information (Credentials cache file '/tmp/krb5cc_492'
>>> not found))
>>> [26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All
>>> Interfaces port 389 for LDAP requests
>>> [26/Apr/2016:18:40:19 +0800] - Listening on
>>> /var/run/slapd-ABC-COM.socket for LDAPI requests
>>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
>>> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389):
>>> Replication bind with GSSAPI auth resumed
>>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
>>> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389):
>>> Missing data encountered
>>> [26/Apr/2016:18:40:23 +0800]
>>>
>>>
>>> On 29.04.2016 13:02, barrykfl at gmail.com wrote:
>>>
>>> Hi All:
>>>
>>> Any method can fall back the default ipa cert if I didn't backup orginal?
>>>
>>> Now the slapd and ipa cert storage quite a mess so they cant replicate
>>> even disabled nsslapd:security to off
>>>
>>>
>>> thx
>>> Barry
>>>
>>>
>>> Hello Barry,
>>>
>>> Can you provide more info?
>>>
>>> What is your IPA version, OS?
>>> What are the symptoms you are experiencing?
>>> What do you mean by default ipa cert ?
>>> Can you provide logs from replicas?
>>> Can you provide `getcert list` command output?
>>> Can you provide `ipactl status` from both server?
>>>
>>> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
>>> certificates are involved in this.
>>>
>>> Martin
>>>
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160509/2a64d0f7/attachment.htm>

More information about the Freeipa-users mailing list