The ldap/serverB keytab was renewed with the ipa-getkeytab command, but not put into place. Since the existing keytab in /etc/dirsrv/ds.keytab was no longer valid, replication stopped. I've since exported it a couple more times from each of the servers in an attempt to get it working again, but none of the keytabs work. I can, however, auth to the kerberos server using the latest keytab file using kinit -kt /etc/dirsrv/ds.keytab ldap/serverB. I've verified permissions on the keytab file.
Now, when I attempt to start replication, it gives me this in the error log ... [20/Nov/2013:16:29:40 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/en5013.dev.ca1.sfmc...@sfmc.co] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328174 (Generic preauthentication failure) [20/Nov/2013:16:29:40 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_497' not found)) errno 0 (Success) [20/Nov/2013:16:29:40 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Nov/2013:16:29:40 -0400] NSMMReplicationPlugin - agmt="cn= meTodv5002-en1.dev.ca1.sfmc.co" (dv5002-en1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_497' not found)) Over and over and over again. I can auth to the server with a standard bind, but GSSAPI auth will not function. I've even attempted to su to the dirsrv user and run a kinit using the ds.keytab file and setting the cache to /tmp/krb5cc_497, but it just compplains that the permissions on the cache credentials file are incorrect. I've also attempted to remove the replica from the working server, but I get an authentication error when it attempts to contact the non-functional server .. # ipa-replica-manage del en5013.dev.ca1.sfmc.co Connection to 'en5013.dev.ca1.sfmc.co' failed: Invalid credentials SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error) Unable to delete replica 'en5013.dev.ca1.sfmc.co' Terry On Wed, Nov 20, 2013 at 4:21 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Terry Soucy wrote: > >> I have the keytab with the oldest version number shown in the kvno >> command, but when I put that into place, I get no joy. >> > > A lot more details are required. Did you change or renew the keytab? Did > it suddenly stop working, and when? > > Logs? /var/log/dirsrv/slapd-REALM/error and access. /var/log/krb5kdc.log. > > rob > > >> Terry >> >> >> On Wed, Nov 20, 2013 at 4:05 PM, Terry Soucy <tso...@salesforce.com >> <mailto:tso...@salesforce.com>> wrote: >> >> The service principal ldap/serverB was exported but not put into >> place at /etc/dirsrv/ds.keytab. Replication started failing, dns >> couldn't connect, the work generally started coming to an end. I've >> re-exported the service principal to a keytab file. If I export from >> serverA using the ipa-getkeytab file, I get one version number. If I >> export from server B, I get an older version number. When I use the >> kvno command, I get an even older number. >> >> Terry >> >> >> On Wed, Nov 20, 2013 at 3:56 PM, Rich Megginson <rmegg...@redhat.com >> <mailto:rmegg...@redhat.com>> wrote: >> >> On 11/20/2013 12:37 PM, Terry Soucy wrote: >> >>> I am currently having the following issue. >>> >>> Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a basic >>> two server multimaster setup. >>> >>> Servers A is running fine, but Server B is out of sync. More >>> specifically, the ldap service principal is out of sync >>> between the two servers, which is leading to no replication, >>> etc, etc. I need to sync the ldap/serverB service principal on >>> Server A with the ldap/serverB service principal on Server B. >>> Is there a way to do that, or am I looking at a re-init of >>> server B? >>> >> >> I'm not sure what you mean by "the ldap service principal is out >> of sync between the two servers"? >> >> >>> Terry >>> >>> -- >>> Terry Soucy - Systems Engineer >>> Salesforce MarketingCloud - http://www.salesforce.com >>> (o) 506.631.7445 <tel:506.631.7445> (c) 506.609.3247 >>> <tel:506.609.3247> | (e) tso...@salesforce.com >>> <mailto:tso...@salesforce.com> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> >> >> -- >> Terry Soucy - Systems Engineer >> Salesforce MarketingCloud - http://www.salesforce.com >> (o) 506.631.7445 <tel:506.631.7445> (c) 506.609.3247 >> <tel:506.609.3247> | (e) tso...@salesforce.com >> <mailto:tso...@salesforce.com> >> >> >> >> >> >> -- >> Terry Soucy - Systems Engineer >> Salesforce MarketingCloud - http://www.salesforce.com >> (o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com >> <mailto:tso...@salesforce.com> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > -- Terry Soucy - Systems Engineer Salesforce MarketingCloud - http://www.salesforce.com (o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users