On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote:
> I have a IPA replica server with disk problems, and then it is
> reimaged and rebuild. But when the IPA replica function is rebuilt, it
> reports the following problem:
> 
> 
> [root@ipareplica02 ipa]# ipa-replica-install
> --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg
> 
> ...
>   [21/29]: setting up initial replication
> Starting replication, please wait until this has completed.
> [ipamaster.example.com] reports: Update failed! Status: [49  - LDAP
> error: Invalid credentials]
> ...
> 
> 
> Before I run the replica rebuilding step on IPA replica, I already run
> 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master,
> and delete the host entry for ipareplica02 as well.
> 
> 
> Did I missed any steps above? Please help. Thanks.

Due to the way kerberos ticket are built you need to restart the master
this replica was replicating to before you rebuild a replica with the
exact same name.
This is because krb tickets are cached but you will change the long term
key with a full reinstall, so the current master will have a ticket the
replica cannot decrypt.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to