Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues

Mon, 28 Jul 2014 11:48:48 -0700 

On 07/28/2014 02:39 PM, Joseph, Matthew (EXP) wrote:



Weird, when I do kdestroy it prompts me for a password to do the 
ipa-replica-manage list command and I supply the password but it 
states invaloud crednetials.


When I do kinit and supply the password it works.

They use the same account/password don't they?


Actually, I think not :-) If I do not have a ticket (admin) then it 
prompts for the Directory Manager password
and that depends on how you've set it during the installation. If you 
get a ticket as admin, the it doesn't prompt
for the Directory Manager password - doesn't need it as admin has 
broader permissions.



If you have no ticket, and is failing on the Directory Manager password 
when prompted, then Directory Manager

must have a different password.

-m


*From:*freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Mark Heslin

*Sent:* Monday, July 28, 2014 3:27 PM
*To:* freeipa-users@redhat.com
*Subject:* EXTERNAL: Re: [Freeipa-users] IPA Replica Issues

On 07/28/2014 02:12 PM, Mark Heslin wrote:

    On 07/28/2014 12:46 PM, Joseph, Matthew (EXP) wrote:

        Hello,

        I'm currently running into some issues with my replica server.

        I noticed it wasn't getting any updates from the master server
        so I tried to do a force-sync but it states that it is an
        "invalid password" which I know it is not the case.

        I tried doing an ipa-replica-manager list replica_server but
        it gives me the SASL(-13) authentication failure: GSSAPI
        Failure: gss_accept_sec_context, 'desc' Invalid Credentials

        I've tried doing a kdestroy and have it prompt me for the
        password but again, same error.

        Any idea what this would be?


        Thanks,

        Matt



    Joe,

    Are you actually getting a valid Kerberos ticket - on the surface
    it would not appear so.

    Also, the command is 'ipa-replica-manage list':

    Example:
      # ipa-replica-manage list
      idm-srv1.example.com: master
      idm-srv2.example.com: master

    -m



Joe,

I forgot to add, you should be able to do this without a Kerberos ticket
but you'll need to specify the Directory Mnager password:

Example:
  #  ipa-replica-manage list
  Directory Manager password: ********

  idm-srv1.example.com: master
  idm-srv2.example.com: master
  # klist
  klist: No credentials cache found (ticket cache KEYRING:persistent:0:0)

I'm runnning RHEL 7 - not sure whether or not this behavior is different
on earlier versions.

-m







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project





















					Reply via email to