server 1: ipa-server-3.0.0-26.el6_4.4.x86_64 server2
ipa-server-3.0.0-37.el6.x86_64 2016-04-30 1:10 GMT+08:00 <barry...@gmail.com>: > > ipa-server-3.0.0-37.el6.x86_64 << here > > 2016-04-29 19:36 GMT+08:00 Martin Basti <mba...@redhat.com>: > >> Please keep, user-list in CC >> >> You did not send all information I requested. >> >> Please use `rpm -ql ipa-server` to get exact version number >> >> >> On 29.04.2016 13:32, barry...@gmail.com wrote: >> >> Error.is from Gss api And i m thinkbif it relate cert issue. >> >> Server1> server 2 fail >> Server 2 > server1 ok >> >> Freeipa 3.0 both >> >> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive >> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): >> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (Credentials cache file '/tmp/krb5cc_492' not >> found)) errno 0 (Success) >> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn= >> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor >> code may provide more information (Credentials cache file '/tmp/krb5cc_492' >> not found)) >> [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket >> for LDAPI requests >> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): >> Replication bind with GSSAPI auth resumed >> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): >> Missing data encountered >> [26/Apr/2016:18:40:23 +0800] >> >> >> On 29.04.2016 13:02, barry...@gmail.com wrote: >> >> Hi All: >> >> Any method can fall back the default ipa cert if I didn't backup orginal? >> >> Now the slapd and ipa cert storage quite a mess so they cant replicate >> even disabled nsslapd:security to off >> >> >> thx >> Barry >> >> >> Hello Barry, >> >> Can you provide more info? >> >> What is your IPA version, OS? >> What are the symptoms you are experiencing? >> What do you mean by default ipa cert ? >> Can you provide logs from replicas? >> Can you provide `getcert list` command output? >> Can you provide `ipactl status` from both server? >> >> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if >> certificates are involved in this. >> >> Martin >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project