Andrew E. Bruno wrote:
> On Mon, Oct 05, 2015 at 12:40:42PM +0200, Martin Kosek wrote:
>> On 10/02/2015 06:00 PM, Andrew E. Bruno wrote:
>>> On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote:
>>>> What's the best way to re-initialize a replica? 
>>>>
>>>> Suppose one of your replicas goes south.. is there a command to tell
>>>> that replicate to re-initialize from the first master (instead of
>>>> removing/re-adding the replica from the topology)?
>>>
>>> Found the command I was looking for:
>>>    ipa-replica-manage re-initialize --from xxx
>>>
>>> However, one of our replicates is down and can't seem to re-initialize
>>> it. Starting ipa fails (via systemctl restart ipa):
>>>
>>> ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: STOPPED
>>> kadmin Service: STOPPED
>>> named Service: STOPPED
>>> ipa_memcached Service: STOPPED
>>> httpd Service: STOPPED
>>> pki-tomcatd Service: STOPPED
>>> ipa-otpd Service: STOPPED
>>> ipa: INFO: The ipactl command was successful
>>>
>>>
>>> Errors from the dirsrv show:
>>>
>>> : GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
>>> information (No Kerberos credentials available)) errno 0 (Success)
>>> [02/Oct/2015:11:45:05 -0400] slapi_ldap_bind - Error: could not perform 
>>> interactive bind for id [] authentication mechanism [GSSAPI]: error -2 
>>> (Local error)
>>> [02/Oct/2015:11:50:05 -0400] set_krb5_creds - Could not get initial 
>>> credentials for principal [ldap/server@realm] in keytab 
>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for 
>>> requested realm)
>>> [02/Oct/2015:11:50:05 -0400] slapd_ldap_sasl_interactive_bind - Error: 
>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 
>>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS 
>>> failure.  Minor code may provide more information (No Kerberos credentials 
>>> available)) errno 0 (Success)
>>> [02/Oct/2015:11:50:05 -0400] slapi_ldap_bind - Error: could not perform 
>>> interactive bind for id [] authentication mechanism [GSSAPI]: error -2 
>>> (Local error)
>>>
>>>
>>> Attempting to re-initialize fails:
>>>
>>> ipa-replica-manage re-initialize --from master
>>> Connection timed out.
>>>
>>>
>>> I verified time is in sync and DNS forward/reverse resolution is working.
>>>
>>> Any pointers on what else to try?
>>>
>>> Thanks!
>>>
>>> --Andrew
>>
>> Given that your Kerberos server instance is down, I would start investigating
>> Kerberos logs to see why.
> 
> 
> So looks like the dirsrv service comes up but with GSS errors about kerb
> credentials. However, the rest of the services including the krb5kdc
> fail to come up. Errors from the kdc logs suggest DNS:

DS complaining about GSS is somewhat normal during startup as it is a
bit noisy. The other errors suggest there is no data in the backend. An
ldapsearch would confirm that.

> 
>  LOOKING_UP_CLIENT: DNS/replica@REALM Server error
> 
> FreeIPA is configured to serve DNS and this replica resolves it's own
> DNS in /etc/resolv.conf (127.0.0.1)
> 
> I tried pointing /etc/resolv.conf to another (good) replica and even
> tried adjusting /etc/krb5.conf to point at another kdc to try and get a
> ticket however it still tries to connect to the local kdc (which fails
> to start).  
> 
> I'm inclined to re-install this replica and start fresh. I'm curious if
> we can re-kickstart this host from a fresh os/freeipa install and run
> the  ipa-replica-manage re-initialize --from master command. The replica
> will have the same name.. is this possible? Would we need to backup the
> /var/lib/ipa/replica-info-XXX.gpg file?

It needs to have its own principal in order to re-initialize. It sounds
like it has nothing which is why replication is failing.

I'd recommend generating a new replica file. There is no value in
re-using the old one and it could be harmful if the certificates are
expired.

You'll need to delete all replication agreements this master had and
you'll need to use the --force option since it won't be accessible. When
you re-install the master it will get all the current data as part of
the setup so no need to re-initialize after that.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to