Yup, looks like replication is broken =\ [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage disconnect ipa1.la3.4over.com Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
[r...@ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com Failed to get data from 'ipa1.la3.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com: master ipa1.gln.4over.com: master ipa1.da2.4over.com: master Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com <mailto:christi...@4over.com> www.4over.com <http://www.4over.com> On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez <christi...@4over.com>wrote: > Okay, > > So I tried to update to the newest version. Update went okay and users can > authenticate (as far as I can tell)... > > But I think may be replication broke? > > [r...@ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from= > ipa1.gln.4over.com > Invalid password > > Any ideas? > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > christi...@4over.com <mailto:christi...@4over.com> > www.4over.com <http://www.4over.com> > > > On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > >> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: >> > There are some odd errors in ldap_child.log but it seems to cover a >> > later period than the other logs (not being able to bind using its >> > keytab is a bad thing). >> > >> > I think what you'll want to do, and this may be relatively tough, is >> > try to correlate these failures with the 389-ds access log and the >> > KDC logs to see if there are equivalent failures at around the same >> > times. >> >> I agree, the ldap_child failing usually indicates an issue with the >> keytab and/or the KDC. The ldap_child functionality is roughly equivalent >> to >> "kinit -k". >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users