Konstantin M. Khankin via FreeIPA-users wrote: > Hi! > > Bumping this thread. Anyone has any ideas?
I'd uninstall the replica and ensure that all remnants are gone with: $ ipa server-del <host> $ ipa host-del <host> And if you're extra paranoid do an LDIF dump of the database sift thru that. rob > > Thanks! > > > вс, 9 авг. 2020 г., 08:23 Konstantin M. Khankin > <[email protected] <mailto:[email protected]>>: > > Hi! > > I run IPA on CentOS 7. I have two servers (Leader and Replica, > though they changed roles couple times because of reinstalls), had > ca and domain services on both of them, replication set up and > working. I had to switch off Replica for 6 months. When I turned it > on recently, I found expired certificates, couldn't fix them easily > and lost the old Replica - at least I concluded it was easier to > reinstate the Replica than to detangle the mess I made while was > trying to back out of outdated certs. I hit the same error as I do > now though - Invalid Credentials (49). > > So I did the following: > > 1) on Replica - ipa-server-install --uninstall. > 2) on Leader - ipa-replica-manage del --force --clean Replica. > 3) removed obsolete replication agreement meToReplica from Leader. > 4) removed all traces of Replica from DNS. > > Then I started to install Replica from scratch: > > 1) ipa-client-install > 2) ipa-replica-install --setup-ca --setup-dns --forwarder X > --forwarder Y > > Installation consistently fails with: > > ''' > Run connection check to master > Connection check OK > Configuring directory server (dirsrv). Estimated time: 30 seconds > <...> > [29/42]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 16 seconds elapsed > [ldap://Leader:389] reports: Update failed! Status: [Error (49) - > LDAP error: Invalid credentials] > > [error] RuntimeError: Failed to start replication > ''' > > Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors: > > ''' > [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - > agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with > GSSAPI auth failed: LDAP error 49 (Invalid credentials) () > """ > > I verified clocks on both Replica and Leader - they show the same > time (within 1-2 seconds diff window). In fact, at some point I had > Replica taking time straight from Leader, before they were set up to > use the other common source. I dumped traffic between Leader and > Replica - indeed, Leader tried to authenticate on Replica and > Replica replies "Invalid credentials". > > I googled this error and read multiple email threads but nothing > helped so far. Replica works fine as IPA client but can't get > promoted to a replica. > > What am I missing? > > Thanks! > > -- > Khankin Konstantin > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
