On 10/02/2015 06:00 PM, Andrew E. Bruno wrote:
> On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote:
>> What's the best way to re-initialize a replica? 
>>
>> Suppose one of your replicas goes south.. is there a command to tell
>> that replicate to re-initialize from the first master (instead of
>> removing/re-adding the replica from the topology)?
> 
> Found the command I was looking for:
>    ipa-replica-manage re-initialize --from xxx
> 
> However, one of our replicates is down and can't seem to re-initialize
> it. Starting ipa fails (via systemctl restart ipa):
> 
> ipactl status
> Directory Service: RUNNING
> krb5kdc Service: STOPPED
> kadmin Service: STOPPED
> named Service: STOPPED
> ipa_memcached Service: STOPPED
> httpd Service: STOPPED
> pki-tomcatd Service: STOPPED
> ipa-otpd Service: STOPPED
> ipa: INFO: The ipactl command was successful
> 
> 
> Errors from the dirsrv show:
> 
> : GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
> information (No Kerberos credentials available)) errno 0 (Success)
> [02/Oct/2015:11:45:05 -0400] slapi_ldap_bind - Error: could not perform 
> interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local 
> error)
> [02/Oct/2015:11:50:05 -0400] set_krb5_creds - Could not get initial 
> credentials for principal [ldap/server@realm] in keytab 
> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for 
> requested realm)
> [02/Oct/2015:11:50:05 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
> not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
> error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
> Minor code may provide more information (No Kerberos credentials available)) 
> errno 0 (Success)
> [02/Oct/2015:11:50:05 -0400] slapi_ldap_bind - Error: could not perform 
> interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local 
> error)
> 
> 
> Attempting to re-initialize fails:
> 
> ipa-replica-manage re-initialize --from master
> Connection timed out.
> 
> 
> I verified time is in sync and DNS forward/reverse resolution is working.
> 
> Any pointers on what else to try?
> 
> Thanks!
> 
> --Andrew

Given that your Kerberos server instance is down, I would start investigating
Kerberos logs to see why.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to