On Mon, Sep 16, 2013 at 3:21 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Rich Megginson wrote:
>> On 09/16/2013 03:21 AM, Charlie Derwent wrote:
>>> Hi
>>> Update on the errors
>>> kinit charlesd
>>> kinit: Generic error (see e-text) while getting initial credentials
>>> krb5kdc.log - LOOKING_UP_CLIENT: charl...@example.com
>>> <mailto:charl...@example.com> for krbtg/example....@example.com
>>> <mailto:EXAMPLE.COM@EXAMPLE.**COM <example....@example.com>>, Server
>>> Error
>>> Starting the IPA service (dirsrv in particular) gives
>>> Failed to read data from Directory Service: Failed to get list of
>>> services to probe status!
>>> Configured hostname 'ipa3.example.com <http://ipa3.example.com>'
>>> doesn't match any master server in LDAP:
>>> No master found because of error: {'matched': dc=example,dc=com',
>>> 'desc': 'No such object'}
>>> Shutting down
>>> The errors log has a load of different services schema-compat-plugin.
>>> dna-plugin, ipalockout_preop/postop all complaining in one way or
>>> another about being unable to retrieve entries or no entries being set
>>> up.
>> I think you'll have to use the workaround where you change replication
>> to use simple bind in order to initialize the consumer, then switch back
>> to sasl/gssapi.
>> Simo/Rob - which ticket was this?  Does freeipa.org have the workaround?
> http://freeipa.org/page/**TroubleshootingGuide#Replica_**Re-Initialization<http://freeipa.org/page/TroubleshootingGuide#Replica_Re-Initialization>
> Sorry I hate leaving threads like this unresolved. So I had a go
implementing the changes as shown above and I can see how and why it should
have worked but whenever I tried to reinitialise from the remote server it
still didn't load so I uninstalled the server removed the replication
agreements by force and started from scratch and it's all good now.

"You might want to edit the line on the link so "nsSaslMapFilterTemplate:
(krbPrincipalName=&@IDM.LAB.BOS.REDHAT.COM)" reads
"nsSaslMapFilterTemplate: (krbPrincipalName=&@$REALM)" but it's kind of
obvious anyway.

Thanks for the help

>  rob
Freeipa-users mailing list

Reply via email to