Looks like I've narrowed it down to...something... [r...@ipa1.la3.4over.com ~]# ipa-replica-manage list ipa1.gln.4over.com Failed to get data from 'ipa1.gln.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [r...@ipa1.la3.4over.com ~]# ipa-replica-manage list ipa1.da2.4over.com ipa1.gln.4over.com: replica ipa1.la3.4over.com: replica [r...@ipa1.la3.4over.com ~]# ipa-replica-manage list $(hostname) ipa1.da2.4over.com: replica ipa1.gln.4over.com: replica [r...@ipa1.la3.4over.com ~]# rpm -qa |egrep '389|ipa' ipa-admintools-3.0.0-26.el6_4.2.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-3.0.0-26.el6_4.2.x86_64 libipa_hbac-python-1.9.2-82.4.el6_4.x86_64 389-ds-base-libs-1.2.11.15-12.el6_4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 libipa_hbac-1.9.2-82.4.el6_4.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 389-ds-base-1.2.11.15-12.el6_4.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64
Although when I try to remove the replication agreement...I can't =\ [r...@ipa1.la3.4over.com ~]# ipa-replica-manage disconnect $(hostname) ipa1.gln.4over.com Failed to get list of agreements from 'ipa1.gln.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com <mailto:christi...@4over.com> www.4over.com <http://www.4over.com> On Mon, Apr 15, 2013 at 6:58 PM, Christian Hernandez <christi...@4over.com>wrote: > Yes; I verified that both forward and reverse DNS match on all nodes. > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > christi...@4over.com <mailto:christi...@4over.com> > www.4over.com <http://www.4over.com> > > > On Mon, Apr 15, 2013 at 6:21 PM, Dmitri Pal <d...@redhat.com> wrote: > >> On 04/15/2013 08:41 PM, Christian Hernandez wrote: >> >> Yup, looks like replication is broken =\ >> >> [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage disconnect >> ipa1.la3.4over.com >> Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid >> credentials SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context >> >> [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com >> Failed to get data from 'ipa1.la3.4over.com': Invalid credentials >> SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context >> >> [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage list >> ipa1.la3.4over.com: master >> ipa1.gln.4over.com: master >> ipa1.da2.4over.com: master >> >> >> >> Do the machines resolve each other correctly? >> >> >> >> >> Thank you, >> >> Christian Hernandez >> 1225 Los Angeles Street >> Glendale, CA 91204 >> Phone: 877-782-2737 ext. 4566 >> Fax: 818-265-3152 >> christi...@4over.com <mailto:christi...@4over.com> >> www.4over.com <http://www.4over.com> >> >> >> On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez < >> christi...@4over.com> wrote: >> >>> Okay, >>> >>> So I tried to update to the newest version. Update went okay and users >>> can authenticate (as far as I can tell)... >>> >>> But I think may be replication broke? >>> >>> [r...@ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from= >>> ipa1.gln.4over.com >>> Invalid password >>> >>> Any ideas? >>> >>> >>> Thank you, >>> >>> Christian Hernandez >>> 1225 Los Angeles Street >>> Glendale, CA 91204 >>> Phone: 877-782-2737 ext. 4566 >>> Fax: 818-265-3152 >>> christi...@4over.com <mailto:christi...@4over.com> >>> www.4over.com <http://www.4over.com> >>> >>> >>> On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek <jhro...@redhat.com>wrote: >>> >>>> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: >>>> > There are some odd errors in ldap_child.log but it seems to cover a >>>> > later period than the other logs (not being able to bind using its >>>> > keytab is a bad thing). >>>> > >>>> > I think what you'll want to do, and this may be relatively tough, is >>>> > try to correlate these failures with the 389-ds access log and the >>>> > KDC logs to see if there are equivalent failures at around the same >>>> > times. >>>> >>>> I agree, the ldap_child failing usually indicates an issue with the >>>> keytab and/or the KDC. The ldap_child functionality is roughly >>>> equivalent to >>>> "kinit -k". >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >> >> >> _______________________________________________ >> Freeipa-users mailing >> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users