[Pulp-list] Can't reinstate a replica from scratch after it was off for 6 months
Konstantin M. Khankin
khankin.konstantin at gmail.com
Sat Aug 8 22:11:31 UTC 2020
Hi!
I run IPA on CentOS 7. I have two servers (Leader and Replica, though they
changed roles couple times because of reinstalls), had ca and domain
services on both of them, replication set up and working. I had to switch
off Replica for 6 months. When I turned it on recently, I found expired
certificates, couldn't fix them easily and lost the old Replica - at least
I concluded it was easier to reinstate the Replica than to detange the mess
I made while was trying to back out of outdated certs. I hit the same error
as I do now though - Invalid Credentials (49).
So I did the following:
1) on Replica - ipa-server-install --uninstall.
2) on Leader - ipa-replica-manage del --force --clean Replica.
3) removed obsolete replication agreement meToReplica from Leader.
4) removed all traces of Replica from DNS.
Then I started to install Replica from scratch:
1) ipa-client-install
2) ipa-replica-install --setup-ca --setup-dns --forwarder X --forwarder Y
Installation consistently fails with:
'''
Run connection check to master
Connection check OK
Configuring directory server (dirsrv). Estimated time: 30 seconds
<...>
[29/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 16 seconds elapsed
[ldap://Leader:389] reports: Update failed! Status: [Error (49) - LDAP
error: Invalid credentials]
[error] RuntimeError: Failed to start replication
'''
Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors:
'''
[<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp -
agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with GSSAPI
auth failed: LDAP error 49 (Invalid credentials) ()
"""
I verified clocks on both Replica and Leader - they show the same time
(within 1-2 seconds diff window). In fact, at some point I had Replica
taking time straight from Leader, before they were set up to use the other
common source. I dumped tracffic between Leader and Replica - indeed,
Leader tried to authenticate on Replica and Replica replies "Invalid
credentials".
I googled this error and read multiple email threads but nothing helped so
far. Replica works fine as IPA client but can't get promoted to a replica.
What am I missing?
Thanks!
--
Khankin Konstantin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20200809/7b4c12bc/attachment.htm>
More information about the Pulp-list
mailing list