On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote: > What's the best way to re-initialize a replica? > > Suppose one of your replicas goes south.. is there a command to tell > that replicate to re-initialize from the first master (instead of > removing/re-adding the replica from the topology)?
Found the command I was looking for: ipa-replica-manage re-initialize --from xxx However, one of our replicates is down and can't seem to re-initialize it. Starting ipa fails (via systemctl restart ipa): ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED ipa_memcached Service: STOPPED httpd Service: STOPPED pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful Errors from the dirsrv show: : GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [02/Oct/2015:11:45:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [02/Oct/2015:11:50:05 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server@realm] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [02/Oct/2015:11:50:05 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [02/Oct/2015:11:50:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) Attempting to re-initialize fails: ipa-replica-manage re-initialize --from master Connection timed out. I verified time is in sync and DNS forward/reverse resolution is working. Any pointers on what else to try? Thanks! --Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project