Hello, Thank you for the answer! I don't know how i overlooked that thread, but he seems to have the exact same error messages. Unfortunately I do not seem to have the same issue causing my problems. I tried running the command `pki securitydomain-show` and it had this output: Domain: IPA CA Subsystem:
Host ID: CA ipa01.example.com 443 Hostname: ipa01.example.com Port: 80 Secure Port: 443 Domain Manager: TRUE Which is what i would expect to see, so no ghost pki servers. Because your post on that thread said that the problem is likely on the master I looked again at some of the logs ont there but i am not entirely sure what to make of them. /var/log/httpd/error_log: [Tue Jun 27 19:15:32.337225 2023] [auth_gssapi:error] [pid 6960] [client 193.190.253.81:51488] Failed to unseal session data!, referer: https://ipa01.exampe.com/ipa/xml [Tue Jun 27 19:15:32.337346 2023] [auth_gssapi:error] [pid 6960] [client 193.190.253.81:51488] NO AUTH DATA Client did not send any authentication headers, referer: https://ipa01.example.com/ipa/xml [Tue Jun 27 19:15:32.616436 2023] [:error] [pid 6955] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) [Tue Jun 27 19:15:32.934945 2023] [:error] [pid 6954] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) And i also found some errors in /var/log/dirsv/slapd-EXAMPLE-COM/errors: [27/Jun/2023:17:29:09.056259008 +0200] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which should be added before the CoS Definition. [27/Jun/2023:17:29:09.178628062 +0200] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa01.example....@example.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [27/Jun/2023:17:29:09.246224361 +0200] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [27/Jun/2023:17:29:09.315077882 +0200] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [27/Jun/2023:17:29:09.375742873 +0200] - INFO - slapd_daemon - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [27/Jun/2023:17:29:09.415783191 +0200] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [27/Jun/2023:17:29:10.745933826 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [27/Jun/2023:17:29:14.894515440 +0200] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [27/Jun/2023:17:29:20.263045483 +0200] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=example,dc=com [27/Jun/2023:17:29:20.308590630 +0200] - ERR - schema-compat-plugin - Finished plugin initialization. [27/Jun/2023:17:30:44.625896180 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389): Replication bind with GSSAPI auth resumed [27/Jun/2023:19:04:28.171069570 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [27/Jun/2023:19:07:37.983080605 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389): Replication bind with GSSAPI auth resumed [27/Jun/2023:19:55:46.403689644 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [27/Jun/2023:19:57:19.079492205 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389): Replication bind with GSSAPI auth resumed [27/Jun/2023:20:20:55.449501930 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [27/Jun/2023:20:22:28.551932671 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389): Replication bind with GSSAPI auth resumed Do you have any other insights or things I could try to help resolve my issue? Sincerely, Arne _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue