On Mon, Sep 16, 2013 at 3:21 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Rich Megginson wrote: > >> On 09/16/2013 03:21 AM, Charlie Derwent wrote: >> >>> Hi >>> Update on the errors >>> kinit charlesd >>> kinit: Generic error (see e-text) while getting initial credentials >>> krb5kdc.log - LOOKING_UP_CLIENT: charl...@example.com >>> <mailto:charl...@example.com> for krbtg/example....@example.com >>> <mailto:EXAMPLE.COM@EXAMPLE.**COM <example....@example.com>>, Server >>> Error >>> >>> Starting the IPA service (dirsrv in particular) gives >>> Failed to read data from Directory Service: Failed to get list of >>> services to probe status! >>> Configured hostname 'ipa3.example.com <http://ipa3.example.com>' >>> >>> doesn't match any master server in LDAP: >>> No master found because of error: {'matched': dc=example,dc=com', >>> 'desc': 'No such object'} >>> Shutting down >>> The errors log has a load of different services schema-compat-plugin. >>> dna-plugin, ipalockout_preop/postop all complaining in one way or >>> another about being unable to retrieve entries or no entries being set >>> up. >>> >> >> I think you'll have to use the workaround where you change replication >> to use simple bind in order to initialize the consumer, then switch back >> to sasl/gssapi. >> >> Simo/Rob - which ticket was this? Does freeipa.org have the workaround? >> > > http://freeipa.org/page/**TroubleshootingGuide#Replica_**Re-Initialization<http://freeipa.org/page/TroubleshootingGuide#Replica_Re-Initialization> > > Sorry I hate leaving threads like this unresolved. So I had a go implementing the changes as shown above and I can see how and why it should have worked but whenever I tried to reinitialise from the remote server it still didn't load so I uninstalled the server removed the replication agreements by force and started from scratch and it's all good now. "You might want to edit the line on the link so "nsSaslMapFilterTemplate: (krbPrincipalName=&@IDM.LAB.BOS.REDHAT.COM)" reads "nsSaslMapFilterTemplate: (krbPrincipalName=&@$REALM)" but it's kind of obvious anyway. Thanks for the help Charlie > rob >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users