When I first installed our replica, it worked just fine - I could add a user and see it on the master server. And vice versa.
I recently went back to take a look and make sure everything was working - and it's not. ipactl status shows everything is ok. Munge is up. I can ssh hostname between machines. When I look at the ID Views in the interface, I get an "IPA Error 903: InternalError". When I do an id <username> I get nosuch user. I did some googling. In /var log/dirsrv/domain/errors I found this: [26/Oct/2017:12:31:23.454702287 +1100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ vmdr-linuxidm.unix.domain....@unix.domain.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) I can get `kinit admin` working fine. But there's something wrong. I don't know where to look exactly. /var/log/httpd/error has this RuntimeError: Unable to load file /usr/share/ipa/smb.conf.empty Which is interesting. There's no file /usr/share/ipa/smb.conf.empty but there is a /usr/share/ipa/smb.conf.template? Ok, I think I've found the problem: ipa-replica-conncheck -c -m <master> Failed to connect to port 7389 tcp on 10.126.18.73 PKI-CA: Directory Service port (7389): FAILED ERROR: Port check failed! Inaccessible port(s): 7389 (TCP) On the master, pki-tomcatd is showing as OK, although nmap -sT -O localhost doesn't show 7389 open. Where can I look next? ipa -version VERSION: 4.5.0, API_VERSION: 2.228 cheers L. ------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. " *Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org