On 04/05/2013 08:41 AM, Simo Sorce wrote:
On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
You were correct, my reverse DNS entries for the master and replica
were missing. Odd, since they both existed at one point.


Rob,
I think we should open a ticket against 389ds, we should never depend on
PTR records.

In this case I believe the ldap libraries are at fault since they now
force SASL canonicalization on which is know to be broken for gssapi as
it causes reverse resolution.

Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
Yes.
ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);

Should this be off by default?  Should this be configurable?


Simo.
Running the same commands again results in the following
On the Replica system


ipa-replica-manage list replica.example.com -v

master.example.com: replica
   last init status: None
   last init ended: None
   last update status: 0 Replica acquired successfully: Incremental
update succeeded
   last update ended: 2013-04-05 14:18:11+00:00


ipa-replica-manage list master.example.com -v

Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info':
'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied
(Cannot determine realm for numeric host address)', 'desc': 'Local
error'}
===========
On the master system


ipa-replica-manage list replica.example.com -v
master.example.com: replica
   last init status: None
   last init ended: None
   last update status: 0 Replica acquired successfully: Incremental
update succeeded
   last update ended: 2013-04-05 14:19:39+00:00


ipa-replica-manage list master.example.tni01.com -v
replica.example.com: replica
   last init status: 0 Total update succeeded
   last init ended: 2013-04-04 20:06:44+00:00
   last update status: 49  - LDAP error: Invalid credentials
   last update ended: 2013-04-04 20:06:55+00:00




On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden <rcrit...@redhat.com>
wrote:
         Brent Clark wrote:
                 Ok, I have done as Steven Jones requested... here is
                 the output from the
                 replica
I am able to kinit to admin using the password. issuing the ipa-replica-manage command on the replica
                 for the replica
replcia.mydomain.com <http://replcia.mydomain.com>:
                 replica
last init status: None
                   last init ended: None
                   last update status: -2  - System error
                   last update ended: None
Same command but for the master
                 Failed to get data from 'master.example.com
<http://master.example.com>': {'info': SASL (-1):
                 generic failure:
GSSAPI Error: An invalid name was supplied (Cannot
                 determine realm for
                 numeric host address)', 'desc':'Local error'}
I can ping, telnet on all the IPA ports and ssh to the
                 main server from
                 the replica.
So... im confused. Also on a whim, I was able to add a server to the
                 replica and that host
                 info did make it to the master.
Sounds like a DNS issue. Make sure forward and reverse DNS
         works for master.example.com.
rob



--
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog
Tendril


This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to