On 01/17/2014 01:12 PM, Petr Spacek wrote:
On 17.1.2014 12:44, Thomas Sailer wrote:
# ldapsearch -Y GSSAPI \*
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified
GSS failure. Minor code may provide more information (Server
krbtgt/localdom...@xxxx.com not found in Kerberos database)
The LOCALDOMAIN part should equal to the REALM (after @). Is it the
same and the difference came from your obfuscation or not?
No it's not my obfuscation, it's really LOCALDOMAIN.
It turned out that:
/etc/openldap/ldap.conf
contained:
URI ldap://localhost
instead of URI ldaps://replica.xxxx.com
See
http://adam.younglogic.com/2013/03/iptables-rules-for-freeipa/
Urgh embarassing. Indeed, it turned out that I need to open port 8080 on
the master (it is connected by the replica).
Port 8080 doesn't feature on the list in the above blog post, so I
posted a comment...
> Replicas will be equal if you install CA to all servers.
Great to hear!
Have a nice day!
Thank you, and same to you!
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users