When I first installed our replica, it worked just fine - I could add a
user and see it on the master server. And vice versa.

I recently went back to take a look and make sure everything was working -
and it's not.

ipactl status shows everything is ok. Munge is up. I can ssh hostname
between machines.

When I look at the ID Views in the interface, I get an "IPA Error 903:

When I do an id <username> I get nosuch user.

I did some googling. In /var log/dirsrv/domain/errors I found this:

[26/Oct/2017:12:31:23.454702287 +1100] - ERR - set_krb5_creds - Could not
get initial credentials for principal [ldap/
vmdr-linuxidm.unix.domain....@unix.domain.com] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)

I can get `kinit admin` working fine. But there's something wrong. I don't
know where to look exactly.

/var/log/httpd/error has this

RuntimeError: Unable to load file /usr/share/ipa/smb.conf.empty

Which is interesting. There's no file /usr/share/ipa/smb.conf.empty but
there is a /usr/share/ipa/smb.conf.template?

Ok, I think I've found the problem:

ipa-replica-conncheck -c -m <master>
Failed to connect to port 7389 tcp on
   PKI-CA: Directory Service port (7389): FAILED
ERROR: Port check failed! Inaccessible port(s): 7389 (TCP)

On the master, pki-tomcatd is showing as OK, although nmap -sT -O localhost
doesn't show 7389 open.

Where can I look next?

ipa -version
VERSION: 4.5.0, API_VERSION: 2.228


"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "

*Greg Bloom* @greggish
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to