Ian Levesque wrote:


On Feb 7, 2012, at 3:39 PM, Rob Crittenden wrote:

<snip>
Strange. Is your 389-ds instance running? If so can you run this query:

ldapsearch -x -b 'cn=services,cn=accounts,dc=sbgrid,dc=org' 
'(krbprincipalname=*sbgrid-directory*)'

I have the feeling that the principals for your IPA server have gone away.

Rather than post all the output, I filtered on the krbPrincipalName attribute. 
Let me know if you want to see more:

dn: krbprincipalname=dogtagldap/sbgrid-directory.in.hw...@sbgrid.org,cn=servic
  es,cn=accounts,dc=sbgrid,dc=org
krbPrincipalName: dogtagldap/sbgrid-directory.in.hw...@sbgrid.org

dn: krbprincipalname=ldap/sbgrid-directory.in.hw...@sbgrid.org,cn=services,cn=
  accounts,dc=sbgrid,dc=org
krbPrincipalName: ldap/sbgrid-directory.in.hw...@sbgrid.org

dn: krbprincipalname=HTTP/sbgrid-directory.in.hw...@sbgrid.org,cn=services,cn=
  accounts,dc=sbgrid,dc=org
krbPrincipalName: HTTP/sbgrid-directory.in.hw...@sbgrid.org



Note that when removing a replica it is often necessary to restart its 
replication partners because sometimes there are old tickets cached. I've never 
seen a case where principals were actually removed though.

What version of IPA are you running, on what distro?


CentOS 6.2
ipa-server-2.1.3-9.el6.x86_64
389-ds-base-1.2.9.14-1.el6_2.2.x86_64

Thanks,
Ian

Ok, this looks good. Is the krb5kdc process running?


It is indeed:

[root@sbgrid-directory dirsrv]# kinit ian
Password for i...@sbgrid.org:

[root@sbgrid-directory dirsrv]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: i...@sbgrid.org

Valid starting     Expires            Service principal
02/07/12 15:51:02  02/08/12 15:51:00  krbtgt/sbgrid....@sbgrid.org

~irl

Hmm, very strange. It seems like your server is actually up and running ok, am I reading this incorrectly?

Does your command-line work: ipa user-show admin

Perhaps those are just spurious errors in the errors log.

You might try re-creating the replica again. You've done a restart since so it should have cleared the ticket cache.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to