Please keep, user-list in CC

You did not send all information I requested.

Please use `rpm -ql ipa-server` to get exact version number

On 29.04.2016 13:32, barry...@gmail.com wrote:

Error.is from Gss api And i m thinkbif it relate cert issue.

Server1> server 2 fail
Server 2   > server1 ok

Freeipa 3.0  both

slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket for LDAPI requests [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): Replication bind with GSSAPI auth resumed [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): Missing data encountered
[26/Apr/2016:18:40:23 +0800]



On 29.04.2016 13:02, barry...@gmail.com <mailto:barry...@gmail.com> wrote:
Hi All:

Any method can fall back the default ipa cert if I didn't backup orginal?

Now the slapd and ipa cert storage quite a mess so they cant replicate even disabled nsslapd:security to off


thx
Barry


Hello Barry,

Can you provide more info?

What is your IPA version, OS?
What are the symptoms you are experiencing?
What do you mean by default ipa cert ?
Can you provide logs from replicas?
Can you provide `getcert list` command output?
Can you provide `ipactl status` from both server?

Replication uses GSSAPI, at least on new IPA versions, I'm not sure if certificates are involved in this.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to