ipa-server-3.0.0-37.el6.x86_64 << here 2016-04-29 19:36 GMT+08:00 Martin Basti <mba...@redhat.com>:
> Please keep, user-list in CC > > You did not send all information I requested. > > Please use `rpm -ql ipa-server` to get exact version number > > > On 29.04.2016 13:32, barry...@gmail.com wrote: > > Error.is from Gss api And i m thinkbif it relate cert issue. > > Server1> server 2 fail > Server 2 > server1 ok > > Freeipa 3.0 both > > slapd_ldap_sasl_interactive_bind - Error: could not perform interactive > bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (Credentials cache file '/tmp/krb5cc_492' not > found)) errno 0 (Success) > [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn= > meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor > code may provide more information (Credentials cache file '/tmp/krb5cc_492' > not found)) > [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket > for LDAPI requests > [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= > meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): > Replication bind with GSSAPI auth resumed > [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= > meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): > Missing data encountered > [26/Apr/2016:18:40:23 +0800] > > > On 29.04.2016 13:02, barry...@gmail.com wrote: > > Hi All: > > Any method can fall back the default ipa cert if I didn't backup orginal? > > Now the slapd and ipa cert storage quite a mess so they cant replicate > even disabled nsslapd:security to off > > > thx > Barry > > > Hello Barry, > > Can you provide more info? > > What is your IPA version, OS? > What are the symptoms you are experiencing? > What do you mean by default ipa cert ? > Can you provide logs from replicas? > Can you provide `getcert list` command output? > Can you provide `ipactl status` from both server? > > Replication uses GSSAPI, at least on new IPA versions, I'm not sure if > certificates are involved in this. > > Martin > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project