On 07/28/2014 02:39 PM, Joseph, Matthew (EXP) wrote:
Weird, when I do kdestroy it prompts me for a password to do the
ipa-replica-manage list command and I supply the password but it
states invaloud crednetials.
When I do kinit and supply the password it works.
They use the same account/password don't they?
Actually, I think not :-) If I do not have a ticket (admin) then it
prompts for the Directory Manager password
and that depends on how you've set it during the installation. If you
get a ticket as admin, the it doesn't prompt
for the Directory Manager password - doesn't need it as admin has
broader permissions.
If you have no ticket, and is failing on the Directory Manager password
when prompted, then Directory Manager
must have a different password.
-m
*From:*freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Mark Heslin
*Sent:* Monday, July 28, 2014 3:27 PM
*To:* freeipa-users@redhat.com
*Subject:* EXTERNAL: Re: [Freeipa-users] IPA Replica Issues
On 07/28/2014 02:12 PM, Mark Heslin wrote:
On 07/28/2014 12:46 PM, Joseph, Matthew (EXP) wrote:
Hello,
I'm currently running into some issues with my replica server.
I noticed it wasn't getting any updates from the master server
so I tried to do a force-sync but it states that it is an
"invalid password" which I know it is not the case.
I tried doing an ipa-replica-manager list replica_server but
it gives me the SASL(-13) authentication failure: GSSAPI
Failure: gss_accept_sec_context, 'desc' Invalid Credentials
I've tried doing a kdestroy and have it prompt me for the
password but again, same error.
Any idea what this would be?
Thanks,
Matt
Joe,
Are you actually getting a valid Kerberos ticket - on the surface
it would not appear so.
Also, the command is 'ipa-replica-manage list':
Example:
# ipa-replica-manage list
idm-srv1.example.com: master
idm-srv2.example.com: master
-m
Joe,
I forgot to add, you should be able to do this without a Kerberos ticket
but you'll need to specify the Directory Mnager password:
Example:
# ipa-replica-manage list
Directory Manager password: ********
idm-srv1.example.com: master
idm-srv2.example.com: master
# klist
klist: No credentials cache found (ticket cache KEYRING:persistent:0:0)
I'm runnning RHEL 7 - not sure whether or not this behavior is different
on earlier versions.
-m
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project