Ian Levesque wrote:

On Feb 7, 2012, at 3:39 PM, Rob Crittenden wrote:

Strange. Is your 389-ds instance running? If so can you run this query:

ldapsearch -x -b 'cn=services,cn=accounts,dc=sbgrid,dc=org' 

I have the feeling that the principals for your IPA server have gone away.

Rather than post all the output, I filtered on the krbPrincipalName attribute. 
Let me know if you want to see more:

dn: krbprincipalname=dogtagldap/sbgrid-directory.in.hw...@sbgrid.org,cn=servic
krbPrincipalName: dogtagldap/sbgrid-directory.in.hw...@sbgrid.org

dn: krbprincipalname=ldap/sbgrid-directory.in.hw...@sbgrid.org,cn=services,cn=
krbPrincipalName: ldap/sbgrid-directory.in.hw...@sbgrid.org

dn: krbprincipalname=HTTP/sbgrid-directory.in.hw...@sbgrid.org,cn=services,cn=
krbPrincipalName: HTTP/sbgrid-directory.in.hw...@sbgrid.org

Note that when removing a replica it is often necessary to restart its 
replication partners because sometimes there are old tickets cached. I've never 
seen a case where principals were actually removed though.

What version of IPA are you running, on what distro?

CentOS 6.2


Ok, this looks good. Is the krb5kdc process running?

It is indeed:

[root@sbgrid-directory dirsrv]# kinit ian
Password for i...@sbgrid.org:

[root@sbgrid-directory dirsrv]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: i...@sbgrid.org

Valid starting     Expires            Service principal
02/07/12 15:51:02  02/08/12 15:51:00  krbtgt/sbgrid....@sbgrid.org


Hmm, very strange. It seems like your server is actually up and running ok, am I reading this incorrectly?

Does your command-line work: ipa user-show admin

Perhaps those are just spurious errors in the errors log.

You might try re-creating the replica again. You've done a restart since so it should have cleared the ticket cache.


