Hey, thanks for all the help so far! I've investigated a bit further and it seems to me, that maybe there is a mismatch in credentials/secrets used for sasl between the replicas? But maybe, that is a different issue from the replication not being able to be established (or the same issue but with different symptoms). However, I've looked up the krbPrincipalKey for ldap/[email protected] on both replica1 and replica2 and they do not seem to differ. But again, I am not sure, if that is relevant.
[root@replica1 ~]# KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -h replica1.example.com -b 'cn=users,cn=accounts,dc=example,dc=com' '(objectClass=ipaNTUserAttrs)' ipaNTHash SASL/GSSAPI authentication started [3200] 1728215799.000066: ccselect module realm chose cache KCM:0 with client principal [email protected] for server principal ldap/[email protected] [3200] 1728215799.000067: Getting credentials [email protected] -> ldap/[email protected] using ccache KCM:0 [3200] 1728215799.000068: Retrieving [email protected] -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found [3200] 1728215799.000069: Retrieving [email protected] -> ldap/[email protected] from KCM:0 with result: 0/Success [3200] 1728215799.000070: Creating authenticator for [email protected] -> ldap/[email protected], seqnum 230523842, subkey aes256-sha2/1619, session key aes256-sha2/E915 ldap_sasl_interactive_bind: Invalid credentials (49) From this, it seems that the root can access the keytab just fine, but is still failing to establish a connection. There is also error in ipa healthcheck, which I think also point to some credentials mismatch: - exception: 'Insufficient access: Invalid credentials' traceback: > Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1096, in error_handler yield File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1267, in gssapi_bind self.conn.sasl_interactive_bind_s( File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 270, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call result = func(*args,**kwargs) ldap.INVALID_CREDENTIALS: {'result': 49, 'desc': 'Invalid credentials', 'ctrls': []} During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipahealthcheck/core/core.py", line 56, in run_plugin for result in plugin.check(): File "/usr/lib/python3.9/site-packages/ipahealthcheck/core/plugin.py", line 18, in wrapper for result in f(*args, **kwds): File "/usr/lib/python3.9/site-packages/ipahealthcheck/ipa/dna.py", line 32, in check agmt = replication.ReplicationManager(api.env.realm, api.env.host) File "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line 268, in __init__ self.conn.gssapi_bind() File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1267, in gssapi_bind self.conn.sasl_interactive_bind_s( File "/usr/lib64/python3.9/contextlib.py", line 137, in __exit__ self.gen.throw(typ, value, traceback) File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1124, in error_handler raise errors.ACIError(info="%s %s" % (info, desc)) ipalib.errors.ACIError: Insufficient access: Invalid credentials Also, due to some circumstances, I was not yet able to provide long term reverse DNS entry for the replicas. I am not sure, if this was not a cause for some internal mechanism (like kerberos) assigning different hostname somewhere. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
