HI Simo and all,
Thanks for your reply.
do you mean restarting ipa service on ipa master like 'service ipa restart'? or
run 'kdestroy' on ipamaster to remove kerberos tickets? It will be great if
you could elaborate on this: like which IPA replica Kerberos principal, replica
Kerberos tickets are involved, and where they are stored.
Thanks.
--David
-
________________________________
From: Simo Sorce <s...@redhat.com>
To: David Copperfield <cao2...@yahoo.com>
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
Sent: Tuesday, May 8, 2012 6:08 AM
Subject: Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid
credentials' error.
On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote:
> I have a IPA replica server with disk problems, and then it is
> reimaged and rebuild. But when the IPA replica function is rebuilt, it
> reports the following problem:
>
>
> [root@ipareplica02 ipa]# ipa-replica-install
> --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg
>
> ...
> [21/29]: setting up initial replication
> Starting replication, please wait until this has completed.
> [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP
> error: Invalid credentials]
> ...
>
>
> Before I run the replica rebuilding step on IPA replica, I already run
> 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master,
> and delete the host entry for ipareplica02 as well.
>
>
> Did I missed any steps above? Please help. Thanks.
Due to the way kerberos ticket are built you need to restart the master
this replica was replicating to before you rebuild a replica with the
exact same name.
This is because krb tickets are cached but you will change the long term
key with a full reinstall, so the current master will have a ticket the
replica cannot decrypt.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
