[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]

Thu, 19 Oct 2017 06:35:26 -0700 

On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote:

On 19-10-17 15:07, Alexander Bokovoy wrote:

On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote:

[...]
[18/Oct/2017:11:24:27 +0200] NSMMReplicationPlugin - agmt="cn=meTolinge.ghs.nl" 
(linge:389): Replication bind with GSSAPI auth resumed

Again, I would really appreciate if someone could hint how to debug this.
For example, what commands can I use to check the connection (in both 
directions)?

My understanding is that if you get the last message ("Replication bind
with GSSAPI auth resumed"), you don't need to worry about the ones
above. An intermittent issue of expired ticket is OK, SASL GSSAPI
mechanism in CyrusSASL will reacquire credentials again after few
attempts. Technically these could be multiple times depending on how
many threads are utilizing the same creds at the same time.



Thanks Alexander,
I'll let it run for a couple of days then and see how often this pops up.

I've checked the tickets as follows (from the Troubleshooting page [1]), and it 
looks
there nothing wrong with them.
# kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname --fqdn`
# klist
# ldapsearch -Y GSSAPI -h linge.ghs.nl -b "" -s base
# ldapsearch -Y GSSAPI -h rotte.ghs.nl -b "" -s base


The only noteworthy difference is this:
@@ -74,12 +75,12 @@
 supportedLDAPVersion: 3
 vendorName: 389 Project
 vendorVersion: 389-Directory/1.3.4.9 B2016.109.158
-dataversion: 020171016093621020171016093621
-netscapemdsuffix: cn=ldap://dc=linge,dc=ghs,dc=nl:389
-lastusn: 174571
+dataversion: 020171011071705020171011071705020171011071705
+netscapemdsuffix: cn=ldap://dc=rotte,dc=ghs,dc=nl:389
+lastusn: 8107596
 changeLog: cn=changelog
-firstchangenumber: 25375
-lastchangenumber: 35897
+firstchangenumber: 2505058
+lastchangenumber: 2518477
 ipatopologypluginversion: 1.0
 ipatopologyismanaged: on
 ipaDomainLevel: 1

The difference above is expected. In short, I don't see any serious
issue.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to