Hi! I run IPA on CentOS 7. I have two servers (Leader and Replica, though they changed roles couple times because of reinstalls), had ca and domain services on both of them, replication set up and working. I had to switch off Replica for 6 months. When I turned it on recently, I found expired certificates, couldn't fix them easily and lost the old Replica - at least I concluded it was easier to reinstate the Replica than to detangle the mess I made while was trying to back out of outdated certs. I hit the same error as I do now though - Invalid Credentials (49).
So I did the following: 1) on Replica - ipa-server-install --uninstall. 2) on Leader - ipa-replica-manage del --force --clean Replica. 3) removed obsolete replication agreement meToReplica from Leader. 4) removed all traces of Replica from DNS. Then I started to install Replica from scratch: 1) ipa-client-install 2) ipa-replica-install --setup-ca --setup-dns --forwarder X --forwarder Y Installation consistently fails with: ''' Run connection check to master Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds <...> [29/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 16 seconds elapsed [ldap://Leader:389] reports: Update failed! Status: [Error (49) - LDAP error: Invalid credentials] [error] RuntimeError: Failed to start replication ''' Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors: ''' [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () """ I verified clocks on both Replica and Leader - they show the same time (within 1-2 seconds diff window). In fact, at some point I had Replica taking time straight from Leader, before they were set up to use the other common source. I dumped traffic between Leader and Replica - indeed, Leader tried to authenticate on Replica and Replica replies "Invalid credentials". I googled this error and read multiple email threads but nothing helped so far. Replica works fine as IPA client but can't get promoted to a replica. What am I missing? Thanks! -- Khankin Konstantin
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
