On Thu, 2012-02-09 at 16:25 -0500, Ian Levesque wrote: > On Feb 9, 2012, at 1:57 PM, Simo Sorce wrote: > > > On Tue, 2012-02-07 at 23:19 -0500, Ian Levesque wrote: > > > >> On the replica: > >> > >> [21/29]: setting up initial replication > >> Starting replication, please wait until this has completed. > >> [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 - > >> System error] > >> creation of replica failed: Failed to start replication > >> > >> On the "primary": > >> > >> slapd_ldap_sasl_interactive_bind - Error: could not perform > >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >> Minor code may provide more information (Cannot contact any KDC for > >> requested realm)) > >> > >> slapi_ldap_bind - Error: could not perform interactive bind for id [] > >> mech [GSSAPI]: error -2 (Local error) > >> > >> `ipa-replica-manage list` on the primary still lists both... > >> > >> sbgrid-directory.in.hwlab: master > >> sbgrid-directory-replica.in.hwlab: master > >> > >> Thanks for your continued interest. > > > > I think you failed to properly clean=up before reinstalling the replica. > > > > On the replica make sure you run: > > ipa-server-install --uninstall > > > > On the primary: > > ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab > > > > You will have to force because you already removed the replica. > > > > Once you do that you can generate a new replica file for the replica and > > retry to set up replication. > > > > Let me know if you encounter any other error once you have done that. > > I tried what you suggested and today, the replication did complete. > > That said, there were a bunch of errors on the initial master, including: > > id2entry - str2entry returned NULL for id 12, string="rdn" > _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct > to RDN > (snip - continues for each automountmapname cn entry) > > NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for > replica dc=sbgrid,dc=org: 20 > (repeated several times) > > slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind > for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context) > slapi_ldap_bind - Error: could not perform interactive bind for id [] mech > [GSSAPI]: error 49 (Invalid credentials) > (repeated several times) > > NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" > (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: > GSSAPI Failure: gss_accept_sec_context) > > And ~ every 5 minutes, I see the familiar-by-now: > > slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind > for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context) > slapi_ldap_bind - Error: could not perform interactive bind for id [] mech > [GSSAPI]: error 49 (Invalid credentials) > > The replica reports both masters when I run `ipa-replica-manage list`, but > the primary master only lists itself. > > Things /appear/ to be working correctly, but none of this is making me feel > very confident...
They are not running correctly. Your first master seem to keep having issues connecting to the replica. Did you restart the master ? Because you replaced the replica with another of identical name, the master may have cache a previously valid ticket that is not correct anymore since you rebuilt replica credentials and therefore all old tickets are invalid. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
