<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 04/15/2013 08:41 PM, Christian Hernandez wrote: <blockquote cite="mid:CAH3k4=eP5ZGZVgaF_Hfowok0p-X4JwDfcVQxz597y_PR4anCvg@mail.gmail.com" type="cite"> <div dir="ltr">Yup, looks like replication is broken =\<br> <br> [<a moz-do-not-send="true" href="mailto:root@ipa1.gln.4over.com">root@ipa1.gln.4over.com</a> ipa]# ipa-replica-manage disconnect <a moz-do-not-send="true" href="http://ipa1.la3.4over.com">ipa1.la3.4over.com</a><br> Failed to get list of agreements from '<a moz-do-not-send="true" href="http://ipa1.la3.4over.com">ipa1.la3.4over.com</a>': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br> <br> [<a moz-do-not-send="true" href="mailto:root@ipa1.gln.4over.com">root@ipa1.gln.4over.com</a> ipa]# ipa-replica-manage list <a moz-do-not-send="true" href="http://ipa1.la3.4over.com">ipa1.la3.4over.com</a><br> Failed to get data from '<a moz-do-not-send="true" href="http://ipa1.la3.4over.com">ipa1.la3.4over.com</a>': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br> <br> [<a moz-do-not-send="true" href="mailto:root@ipa1.gln.4over.com">root@ipa1.gln.4over.com</a> ipa]# ipa-replica-manage list<br> <a moz-do-not-send="true" href="http://ipa1.la3.4over.com">ipa1.la3.4over.com</a>: master<br> <a moz-do-not-send="true" href="http://ipa1.gln.4over.com">ipa1.gln.4over.com</a>: master<br> <a moz-do-not-send="true" href="http://ipa1.da2.4over.com">ipa1.da2.4over.com</a>: master<br> </div> </blockquote> <br> <br> Do the machines resolve each other correctly?<br> <br> <blockquote cite="mid:CAH3k4=eP5ZGZVgaF_Hfowok0p-X4JwDfcVQxz597y_PR4anCvg@mail.gmail.com" type="cite"> <div class="gmail_extra"> <br clear="all"> <div> <div dir="ltr"> <div><br> Thank you,<br> <br> Christian Hernandez<br> </div> 1225 Los Angeles Street<br> <div>Glendale, CA 91204<br> Phone: <a moz-do-not-send="true" value="+18777822737">877-782-2737 ext. 4566</a><br> Fax: <a moz-do-not-send="true" value="+18182653152">818-265-3152</a><br> <a moz-do-not-send="true" href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a> <mailto:<a moz-do-not-send="true" href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>> <br> <a moz-do-not-send="true" href="http://www.4over.com/" target="_blank">www.4over.com</a> <<a moz-do-not-send="true" href="http://www.4over.com/" target="_blank">http://www.4over.com</a>></div> </div> </div> <br> <br> <div class="gmail_quote">On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez <span dir="ltr"><<a moz-do-not-send="true" href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"> <div>Okay,<br> <br> So I tried to update to the newest version. Update went okay and users can authenticate (as far as I can tell)...<br> <br> But I think may be replication broke?<br> <br> [<a moz-do-not-send="true" href="mailto:root@ipa1.da2.4over.com" target="_blank">root@ipa1.da2.4over.com</a> log]# ipa-replica-manage force-sync --from=<a moz-do-not-send="true" href="http://ipa1.gln.4over.com" target="_blank">ipa1.gln.4over.com</a> <br> Invalid password<br> <br> </div> Any ideas?<br> </div> <div class="gmail_extra"> <div class="im"><br clear="all"> <div> <div dir="ltr"> <div><br> Thank you,<br> <br> Christian Hernandez<br> </div> 1225 Los Angeles Street<br> <div>Glendale, CA 91204<br> Phone: <a moz-do-not-send="true" value="+18777822737">877-782-2737 ext. 4566</a><br> Fax: <a moz-do-not-send="true" value="+18182653152">818-265-3152</a><br> <a moz-do-not-send="true" href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a> <mailto:<a moz-do-not-send="true" href="mailto:christianh@4over.com" target="_blank">christianh@4over.com</a>> <br> <a moz-do-not-send="true" href="http://www.4over.com/" target="_blank">www.4over.com</a> <<a moz-do-not-send="true" href="http://www.4over.com/" target="_blank">http://www.4over.com</a>></div> </div> </div> <br> <br> </div> <div> <div class="h5"> <div class="gmail_quote">On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek <span dir="ltr"><<a moz-do-not-send="true" href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div>On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote:<br> > There are some odd errors in ldap_child.log but it seems to cover a<br> > later period than the other logs (not being able to bind using its<br> > keytab is a bad thing).<br> ><br> > I think what you'll want to do, and this may be relatively tough, is<br> > try to correlate these failures with the 389-ds access log and the<br> > KDC logs to see if there are equivalent failures at around the same<br> > times.<br> <br> </div> I agree, the ldap_child failing usually indicates an issue with the<br> keytab and/or the KDC. The ldap_child functionality is roughly equivalent to<br> "kinit -k".<br> <br> _______________________________________________<br> Freeipa-users mailing list<br> <a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> </blockquote> </div> <br> </div> </div> </div> </blockquote> </div> <br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>