[Freeipa-users] Directory Manager password is correct but IPA-replica-prepare command fails with Invalid Credentials
Rob Crittenden
rcritten at redhat.com
Fri Mar 24 22:21:47 UTC 2017
Shiela Spaleta wrote:
> I can successfully bind as the Directory Manager, but when I use the
> same password to create a replica prep file I get an "Invalid
> Credentials" error. How is this possible?
>
> I'm running FreeIPA v3.0 on Centos 6 and created replica's successfully
> in the past.
>
> I tested the Directory Manager password by using it change the admin
> user's password:
>
> ldappasswd -D 'cn=directory manager' -W -S
> uid=admin,cn=users,cn=accounts,dc=domain,dc=com
>
> and that was successful (tested by getting a ticket as admin user with
> new pwd).
>
> But when I try to create a replica file:
>
> # ipa-replica-prepare ipa2.shiela.com <http://ipa2.shiela.com/>
>
>
> Preparing replica for ipa2.shiela.com
> <http://ipa2.shiela.com/> from ipa1.shiela.com <http://ipa1.shiela.com/>
> preparation of replica failed: Insufficient access: Invalid credentials
> Insufficient access: Invalid credentials
> File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
> main()
>
> File "/usr/sbin/ipa-replica-prepare", line 391, in main
> update_pki_admin_password(dirman_password)
>
> File "/usr/sbin/ipa-replica-prepare", line 247, in
> update_pki_admin_password
> bind_pw=dirman_password
>
> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
> connect
> conn = self.create_connection(*args, **kw)
>
> File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line 846, in create_connection
> self.handle_errors(e)
>
> File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line 712, in handle_errors
> raise errors.ACIError(info="%s %s" % (info, desc))
>
> If anyone can shed light on this I would be grateful. I've checked
> /var/log/dirsrv/PKI-IPA but it has not been any more helpful.
>
admin != Directory Manager.
Try running kdestroy, then ipa-replica-prepare. You'll be prompted for
the DM password, that should work.
rob
More information about the Freeipa-users
mailing list