So, any idea how to fix the Kerberos problem?

*
*
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret


On Mon, Aug 19, 2013 at 12:19 PM, Bret Wortman <bret.wort...@damascusgrp.com
> wrote:

> ...and I got the web UI, authentication and sudo back via:
>
> # ipactl stop
> # ipactl start
>
> Not sure why that worked, but it did. I was grasping at straws, honestly.
>
>
> *
> *
> *Bret Wortman*
>
> http://damascusgrp.com/
> http://about.me/wortmanbret
>
>
> On Mon, Aug 19, 2013 at 12:18 PM, Bret Wortman <
> bret.wort...@damascusgrp.com> wrote:
>
>> Digging further, I think this log entry might be the problem between the
>> two servers that aren't talking:
>>
>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
>> bind for id[] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic
>> failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
>> information (Server ldap/localh...@spx.net not found in Kerberos
>> database)) errno 2 (No such file or directory)
>>
>> Did I build something incorrectly when that server was set up originally?
>>
>>
>>
>> *
>> *
>> *Bret Wortman*
>>
>> http://damascusgrp.com/
>> http://about.me/wortmanbret
>>
>>
>> On Mon, Aug 19, 2013 at 12:02 PM, Bret Wortman <
>> bret.wort...@damascusgrp.com> wrote:
>>
>>> I ran it on a good master, against a bad one. As in, I ran this command
>>> on my master IPA node:
>>>
>>> # ipa-replica-manage del --force bad1.foo.net --cleanup
>>>
>>> Was that wrong? I was trying to delete the bad replica from the master,
>>> so I figured the command needed to be run on the master. But again, my
>>> master is now in a state where it's not resolving DNS, user logins, or sudo
>>> at the very least.
>>>
>>> Oh, and I checked the node that it was complaining about earlier. The
>>> network connection to it is the pits, but it's there. And it resolves.
>>>
>>>
>>> *
>>> *
>>> *Bret Wortman*
>>>
>>> http://damascusgrp.com/
>>> http://about.me/wortmanbret
>>>
>>>
>>> On Mon, Aug 19, 2013 at 11:58 AM, Rob Crittenden <rcrit...@redhat.com>wrote:
>>>
>>>> Rob Crittenden wrote:
>>>>
>>>>> Bret Wortman wrote:
>>>>>
>>>>>> Well, my master ground to a halt and wasn't responding. I rebooted the
>>>>>> system and now I can't access the web UI or ssh to the master either.
>>>>>> I
>>>>>> have console access but that's it.
>>>>>>
>>>>>> The services all say they're running, but the web UI gives an "Unknown
>>>>>> Error" dialog and ssh fails with "ssh_exchange_identification:
>>>>>> Connection closed by remote host" whenever I try to ssh to ipamaster.
>>>>>> I
>>>>>> think something has gone really wrong inside my master. Any ideas?
>>>>>> Even
>>>>>> after the reboot, --cleanup isn't helping and just hangs.
>>>>>>
>>>>>> The logfiles end (as of the time I ^C'd the process) with:
>>>>>>
>>>>>> NSMMReplicationPlugin - agmt="cn=meTogood3.spx.net
>>>>>> <http://meTogood3.spx.net>" (good3:389): Replication bind with GSSAPI
>>>>>> auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
>>>>>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more
>>>>>> information (Cannot determine realm for numeric host address))
>>>>>> NSMMReplicationPlugin - CleanAllRUV Task: Replica not online
>>>>>> (agmt="cn=meTogood3.foo.net <http://meTogood3.foo.net>" (good3:389))
>>>>>> NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas online,
>>>>>> retrying in 160 seconds...,
>>>>>>
>>>>>> So it looks like it's having trouble talking with one of my replicas
>>>>>> and
>>>>>> is doggedly trying to get the job done. Any idea how to get the master
>>>>>> back working again while I troubleshoot this connectivity issue?
>>>>>>
>>>>>
>>>>> That suggests a DNS problem, and it might explain ssh as well depending
>>>>> on your configuration.
>>>>>
>>>>
>>>> To be clear, you ran --cleanup against one of the bad masters, not a
>>>> good one, right?
>>>>
>>>> rob
>>>>
>>>>
>>>
>>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to