On 19-10-17 15:07, Alexander Bokovoy wrote:
> On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote:
>> [...]
>> [18/Oct/2017:11:24:27 +0200] NSMMReplicationPlugin - 
>> agmt="cn=meTolinge.ghs.nl" (linge:389): Replication bind with GSSAPI auth 
>> resumed
>> Again, I would really appreciate if someone could hint how to debug this.
>> For example, what commands can I use to check the connection (in both 
>> directions)?
> My understanding is that if you get the last message ("Replication bind
> with GSSAPI auth resumed"), you don't need to worry about the ones
> above. An intermittent issue of expired ticket is OK, SASL GSSAPI
> mechanism in CyrusSASL will reacquire credentials again after few
> attempts. Technically these could be multiple times depending on how
> many threads are utilizing the same creds at the same time.

Thanks Alexander,
I'll let it run for a couple of days then and see how often this pops up.

I've checked the tickets as follows (from the Troubleshooting page [1]), and it 
there nothing wrong with them.
# kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname --fqdn`
# klist
# ldapsearch -Y GSSAPI -h linge.ghs.nl -b "" -s base
# ldapsearch -Y GSSAPI -h rotte.ghs.nl -b "" -s base

The only noteworthy difference is this:
@@ -74,12 +75,12 @@
 supportedLDAPVersion: 3
 vendorName: 389 Project
 vendorVersion: 389-Directory/ B2016.109.158
-dataversion: 020171016093621020171016093621
-netscapemdsuffix: cn=ldap://dc=linge,dc=ghs,dc=nl:389
-lastusn: 174571
+dataversion: 020171011071705020171011071705020171011071705
+netscapemdsuffix: cn=ldap://dc=rotte,dc=ghs,dc=nl:389
+lastusn: 8107596
 changeLog: cn=changelog
-firstchangenumber: 25375
-lastchangenumber: 35897
+firstchangenumber: 2505058
+lastchangenumber: 2518477
 ipatopologypluginversion: 1.0
 ipatopologyismanaged: on
 ipaDomainLevel: 1

Kees Bakker
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to