subject:"\[Freeipa\-users\] server 1 and server 2 cannot replicate now may be ssl cert expire"

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-10 Thread barrykfl

Just wonder the freeipa package will have bugs if os too.old.
2016年5月10日 下午3:09 於 "Lukas Slebodnik"  寫道：

> On (10/05/16 08:19), barry...@gmail.com wrote:
> >Do u meant the error related to OS?
> I mean that there are known bugs in FreeIPA components.
> 389-ds, sssd 
> CentOS 6.5 is quite old version.
>
> I would really recommend to upgrade to the latest CentOS.
> If there are still problems on latest CentOS then
> we can try to continue with troubleshooting.
>
> It does not worth to spend time with analyzing already fixed bugs.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-10 Thread Lukas Slebodnik

On (10/05/16 08:19), barry...@gmail.com wrote:
>Do u meant the error related to OS?
I mean that there are known bugs in FreeIPA components.
389-ds, sssd 
CentOS 6.5 is quite old version.

I would really recommend to upgrade to the latest CentOS.
If there are still problems on latest CentOS then
we can try to continue with troubleshooting.

It does not worth to spend time with analyzing already fixed bugs.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-09 Thread barrykfl

Do u meant the error related to OS?
2016年5月9日 下午7:17 於 "Lukas Slebodnik"  寫道：

> On (09/05/16 12:14), Barry wrote:
> >  Hello Barry,
> >
> >Can you provide more info?
> >
> >What is your IPA version, OS?
> >
> >CENTOS 6.5
> >
> Please upgrade to latest CentOS 6.7
> there are known bugs in CentOS 6.5
> which are already fixed in CentOS 6.7.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-09 Thread Lukas Slebodnik

On (09/05/16 12:14), Barry wrote:
>  Hello Barry,
>
>Can you provide more info?
>
>What is your IPA version, OS?
>
>CENTOS 6.5
>
Please upgrade to latest CentOS 6.7
there are known bugs in CentOS 6.5
which are already fixed in CentOS 6.7.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-08 Thread barrykfl

 Hello Barry,

Can you provide more info?

What is your IPA version, OS?

CENTOS 6.5

server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64
server 2 - ipa-server-3.0.0-37.el6.x86_64

What are the symptoms you are experiencing?

server1 's update not transfer to server 2 but server 2 can transfer to
server 1 even cert expired

What do you mean by default ipa cert ? if cert is issue then fall back to
orginal not expire self sign cert.

Can you provide logs from replicas?

>From server 2

[09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49
(Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Unknown error))
errno 0 (Success)
[09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)

Can you provide `getcert list` command output?

Serevr 1 -  Number of certificates and requests being tracked: 0.  < NO
record
Server 2-

Number of certificates and requests being tracked: 3.
Request ID '20140106083849':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM 
subject: CN=central02.ABC.com ,O=ABC.COM

expires: 2015-12-19 06:40:44 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM
track: yes
auto-renew: yes
Request ID '20140106083931':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM 
subject: CN=central02.ABC.com ,O=ABC.COM

expires: 2015-12-19 06:40:46 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20140106083944':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=ABC.COM 
subject: CN=IPA RA,O=ABC.COM 
expires: 2015-11-12 08:41:45 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes


Can you provide `ipactl status` from both server?

Server1 - Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING


Server 2 =

Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING

Now don't want any cert ,just GASSAPI work...

2016-05-02 18:28 GMT+08:00 Martin Basti :

> Hello,
>
> Can you try to upgrade server to the same version?
>
> You did not provided all information I requested.
>
> Martin
>
>
> On 29.04.2016 19:13, barry...@gmail.com wrote:
>
> server 1:
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> server2
>
> ipa-server-3.0.0-37.el6.x86_64
>
> 2016-04-30 1:10 GMT+08:00 :
>
>>
>> ipa-server-3.0.0-37.el6.x86_64  << here
>>
>> 2016-04-29 19:36 GMT+08:00 Martin Basti :
>>
>>> Please keep, user-list in CC
>>>
>>> You did not send all information I requested.
>>>
>>> Please use `rpm -ql ipa-server` to get exact version number
>>>
>>>
>>> On 29.04.2016 13:32, barry...@gmail.com wrote:
>>>
>>> Error.is from Gss api And i m thinkbif it relate cert issue.
>>>
>>> Server1> server 2 fail
>>> Server 2   > server1 ok
>>>
>>> Freeipa 3.0  both
>>>
>>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
>>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
>>> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>>> provide more information (Credentials cache file '/tmp/krb5cc_492' not
>>> found)) errno 0 (Success)
>>>

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-08 Thread Barry

  Hello Barry,

Can you provide more info?

What is your IPA version, OS?

CENTOS 6.5

server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64
server 2 - ipa-server-3.0.0-37.el6.x86_64

What are the symptoms you are experiencing?

server1 's update not transfer to server 2 but server 2 can transfer to
server 1 even cert expired

What do you mean by default ipa cert ? if cert is issue then fall back to
orginal not expire self sign cert.

Can you provide logs from replicas?

>From server 2

[09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49
(Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Unknown error))
errno 0 (Success)
[09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)

Can you provide `getcert list` command output?

Serevr 1 -  Number of certificates and requests being tracked: 0.  < NO
record
Server 2-

Number of certificates and requests being tracked: 3.
Request ID '20140106083849':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM
subject: CN=central02.ABC.com,O=ABC.COM
expires: 2015-12-19 06:40:44 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM
track: yes
auto-renew: yes
Request ID '20140106083931':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM
subject: CN=central02.ABC.com,O=ABC.COM
expires: 2015-12-19 06:40:46 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20140106083944':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=ABC.COM
subject: CN=IPA RA,O=ABC.COM
expires: 2015-11-12 08:41:45 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

Can you provide `ipactl status` from both server?

Server1 - Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

Server 2 =

Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING

Now don't want any cert ,just GASSAPI work...

Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
certificates are involved in this.

Martin

2016-05-02 18:28 GMT+08:00 Martin Basti :

> Hello,
>
> Can you try to upgrade server to the same version?
>
> You did not provided all information I requested.
>
> Martin
>
>
> On 29.04.2016 19:13, barry...@gmail.com wrote:
>
> server 1:
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> server2
>
> ipa-server-3.0.0-37.el6.x86_64
>
> 2016-04-30 1:10 GMT+08:00 :
>
>>
>> ipa-server-3.0.0-37.el6.x86_64  << here
>>
>> 2016-04-29 19:36 GMT+08:00 Martin Basti :
>>
>>> Please keep, user-list in CC
>>>
>>> You did not send all information I requested.
>>>
>>> Please use `rpm -ql ipa-server` to get exact version number
>>>
>>>
>>> On 29.04.2016 13:32, barry...@gmail.com wrote:
>>>
>>> Error.is from Gss api And i m thinkbif it relate cert issue.
>>>
>>> Server1> server 2 fail
>>> Server 2   > server1 ok
>>>
>>> Freeipa 3.0  both
>>>
>>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
>>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
>>> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>>> provide more information (Credentials cache file '/tmp/krb5cc_492' not
>>> found)) errno 0 (Success)
>>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind -

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-02 Thread Martin Basti


Hello,

Can you try to upgrade server to the same version?

You did not provided all information I requested.

Martin

On 29.04.2016 19:13, barry...@gmail.com wrote:

server 1:
ipa-server-3.0.0-26.el6_4.4.x86_64

server2

ipa-server-3.0.0-37.el6.x86_64

2016-04-30 1:10 GMT+08:00 >:



ipa-server-3.0.0-37.el6.x86_64  << here

2016-04-29 19:36 GMT+08:00 Martin Basti >:

Please keep, user-list in CC

You did not send all information I requested.

Please use `rpm -ql ipa-server` to get exact version number


On 29.04.2016 13:32, barry...@gmail.com
 wrote:


Error.is from Gss api And i m thinkbif it relate cert issue.

Server1> server 2 fail
Server 2   > server1 ok

Freeipa 3.0  both

slapd_ldap_sasl_interactive_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_492' not
found)) errno 0 (Success)
[26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: error
-2 (Local error)
[26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin -
agmt="cn=meTocentral02.ABC.com
" (central02:389): Replication
bind with GSSAPI auth failed: LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_492' not found))
[26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on
All Interfaces port 389 for LDAP requests
[26/Apr/2016:18:40:19 +0800] - Listening on
/var/run/slapd-ABC-COM.socket for LDAPI requests
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin -
agmt="cn=meTocentral02.ABC.com
" (central02:389): Replication
bind with GSSAPI auth resumed
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin -
agmt="cn=meTocentral02.ABC.com
" (central02:389): Missing
data encountered
[26/Apr/2016:18:40:23 +0800]



On 29.04.2016 13:02, barry...@gmail.com
 wrote:

Hi All:

Any method can fall back the default ipa cert if I didn't
backup orginal?

Now the slapd and ipa cert storage quite a mess so they cant
replicate even disabled nsslapd:security to off


thx
Barry



Hello Barry,

Can you provide more info?

What is your IPA version, OS?
What are the symptoms you are experiencing?
What do you mean by default ipa cert ?
Can you provide logs from replicas?
Can you provide `getcert list` command output?
Can you provide `ipactl status` from both server?

Replication uses GSSAPI, at least on new IPA versions, I'm
not sure if certificates are involved in this.

Martin






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread barrykfl

server 1:
ipa-server-3.0.0-26.el6_4.4.x86_64

server2

ipa-server-3.0.0-37.el6.x86_64

2016-04-30 1:10 GMT+08:00 :

>
> ipa-server-3.0.0-37.el6.x86_64  << here
>
> 2016-04-29 19:36 GMT+08:00 Martin Basti :
>
>> Please keep, user-list in CC
>>
>> You did not send all information I requested.
>>
>> Please use `rpm -ql ipa-server` to get exact version number
>>
>>
>> On 29.04.2016 13:32, barry...@gmail.com wrote:
>>
>> Error.is from Gss api And i m thinkbif it relate cert issue.
>>
>> Server1> server 2 fail
>> Server 2   > server1 ok
>>
>> Freeipa 3.0  both
>>
>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>> provide more information (Credentials cache file '/tmp/krb5cc_492' not
>> found)) errno 0 (Success)
>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
>> meTocentral02.ABC.com " (central02:389):
>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
>> code may provide more information (Credentials cache file '/tmp/krb5cc_492'
>> not found))
>> [26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All
>> Interfaces port 389 for LDAP requests
>> [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket
>> for LDAPI requests
>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
>> meTocentral02.ABC.com " (central02:389):
>> Replication bind with GSSAPI auth resumed
>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
>> meTocentral02.ABC.com " (central02:389):
>> Missing data encountered
>> [26/Apr/2016:18:40:23 +0800]
>>
>>
>> On 29.04.2016 13:02, barry...@gmail.com wrote:
>>
>> Hi All:
>>
>> Any method can fall back the default ipa cert if I didn't backup orginal?
>>
>> Now the slapd and ipa cert storage quite a mess so they cant replicate
>> even disabled nsslapd:security to off
>>
>>
>> thx
>> Barry
>>
>>
>> Hello Barry,
>>
>> Can you provide more info?
>>
>> What is your IPA version, OS?
>> What are the symptoms you are experiencing?
>> What do you mean by default ipa cert ?
>> Can you provide logs from replicas?
>> Can you provide `getcert list` command output?
>> Can you provide `ipactl status` from both server?
>>
>> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
>> certificates are involved in this.
>>
>> Martin
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread barrykfl

ipa-server-3.0.0-37.el6.x86_64  << here

2016-04-29 19:36 GMT+08:00 Martin Basti :

> Please keep, user-list in CC
>
> You did not send all information I requested.
>
> Please use `rpm -ql ipa-server` to get exact version number
>
>
> On 29.04.2016 13:32, barry...@gmail.com wrote:
>
> Error.is from Gss api And i m thinkbif it relate cert issue.
>
> Server1> server 2 fail
> Server 2   > server1 ok
>
> Freeipa 3.0  both
>
> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
> provide more information (Credentials cache file '/tmp/krb5cc_492' not
> found)) errno 0 (Success)
> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com " (central02:389):
> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
> code may provide more information (Credentials cache file '/tmp/krb5cc_492'
> not found))
> [26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All Interfaces
> port 389 for LDAP requests
> [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket
> for LDAPI requests
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com " (central02:389):
> Replication bind with GSSAPI auth resumed
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com " (central02:389):
> Missing data encountered
> [26/Apr/2016:18:40:23 +0800]
>
>
> On 29.04.2016 13:02, barry...@gmail.com wrote:
>
> Hi All:
>
> Any method can fall back the default ipa cert if I didn't backup orginal?
>
> Now the slapd and ipa cert storage quite a mess so they cant replicate
> even disabled nsslapd:security to off
>
>
> thx
> Barry
>
>
> Hello Barry,
>
> Can you provide more info?
>
> What is your IPA version, OS?
> What are the symptoms you are experiencing?
> What do you mean by default ipa cert ?
> Can you provide logs from replicas?
> Can you provide `getcert list` command output?
> Can you provide `ipactl status` from both server?
>
> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
> certificates are involved in this.
>
> Martin
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread Martin Basti


Please keep, user-list in CC

You did not send all information I requested.

Please use `rpm -ql ipa-server` to get exact version number

On 29.04.2016 13:32, barry...@gmail.com wrote:


Error.is from Gss api And i m thinkbif it relate cert issue.

Server1> server 2 fail
Server 2   > server1 ok

Freeipa 3.0  both

slapd_ldap_sasl_interactive_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) 
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Credentials cache file 
'/tmp/krb5cc_492' not found)) errno 0 (Success)
[26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - 
agmt="cn=meTocentral02.ABC.com " 
(central02:389): Replication bind with GSSAPI auth failed: LDAP error 
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Credentials 
cache file '/tmp/krb5cc_492' not found))
[26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[26/Apr/2016:18:40:19 +0800] - Listening on 
/var/run/slapd-ABC-COM.socket for LDAPI requests
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - 
agmt="cn=meTocentral02.ABC.com " 
(central02:389): Replication bind with GSSAPI auth resumed
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - 
agmt="cn=meTocentral02.ABC.com " 
(central02:389): Missing data encountered

[26/Apr/2016:18:40:23 +0800]



On 29.04.2016 13:02, barry...@gmail.com  wrote:

Hi All:

Any method can fall back the default ipa cert if I didn't backup orginal?

Now the slapd and ipa cert storage quite a mess so they cant 
replicate even disabled nsslapd:security to off



thx
Barry



Hello Barry,

Can you provide more info?

What is your IPA version, OS?
What are the symptoms you are experiencing?
What do you mean by default ipa cert ?
Can you provide logs from replicas?
Can you provide `getcert list` command output?
Can you provide `ipactl status` from both server?

Replication uses GSSAPI, at least on new IPA versions, I'm not sure if 
certificates are involved in this.


Martin


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread Martin Basti




On 29.04.2016 13:02, barry...@gmail.com wrote:

Hi All:

Any method can fall back the default ipa cert if I didn't backup orginal?

Now the slapd and ipa cert storage quite a mess so they cant replicate 
even disabled nsslapd:security to off



thx
Barry



Hello Barry,

Can you provide more info?

What is your IPA version, OS?
What are the symptoms you are experiencing?
What do you mean by default ipa cert ?
Can you provide logs from replicas?
Can you provide `getcert list` command output?
Can you provide `ipactl status` from both server?

Replication uses GSSAPI, at least on new IPA versions, I'm not sure if 
certificates are involved in this.


Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread barrykfl

Hi All:

Any method can fall back the default ipa cert if I didn't backup orginal?

Now the slapd and ipa cert storage quite a mess so they cant replicate even
disabled nsslapd:security to off


thx
Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

12 matches

Site Navigation

Mail list logo

Footer information