Lachlan Musicman via FreeIPA-users wrote:
> When I first installed our replica, it worked just fine - I could add a
> user and see it on the master server. And vice versa.
> I recently went back to take a look and make sure everything was working
> - and it's not.
> ipactl status shows everything is ok. Munge is up. I can ssh hostname
> between machines.
> When I look at the ID Views in the interface, I get an "IPA Error 903:
> InternalError".

See /var/log/httpd/error_log for details, there may be a python backtrace.

> When I do an id <username> I get nosuch user.

> I did some googling. In /var log/dirsrv/domain/errors I found this:
> [26/Oct/2017:12:31:23.454702287 +1100] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/
> <>] in keytab
> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
> requested realm)
> I can get `kinit admin` working fine. But there's something wrong. I
> don't know where to look exactly.

KRB5_TRACE=/dev/stdout kinit admin

See what KDC kinit is using. It should be using the local box because
masters should point only to themselves.

> /var/log/httpd/error has this
> RuntimeError: Unable to load file /usr/share/ipa/smb.conf.empty
> Which is interesting. There's no file /usr/share/ipa/smb.conf.empty but
> there is a /usr/share/ipa/smb.conf.template?

Probably need more context.

> Ok, I think I've found the problem:
> ipa-replica-conncheck -c -m <master>
> Failed to connect to port 7389 tcp on
>    PKI-CA: Directory Service port (7389): FAILED
> ERROR: Port check failed! Inaccessible port(s): 7389 (TCP)
> On the master, pki-tomcatd is showing as OK, although nmap -sT -O
> localhost doesn't show 7389 open.
> Where can I look next?
> ipa -version
> VERSION: 4.5.0, API_VERSION: 2.228

It shouldn't be even trying port 7389 with v4.5.0. Very old versions of
IPA used to use two separate 389-ds instances, one for the IPA data and
one for the CA data. They were combined long ago. This could just be a
check in case you had a very old master in which case this is a red herring.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to