Hello,

Can you try to upgrade server to the same version?

You did not provided all information I requested.

Martin

On 29.04.2016 19:13, barry...@gmail.com wrote:
server 1:
ipa-server-3.0.0-26.el6_4.4.x86_64

server2

ipa-server-3.0.0-37.el6.x86_64

2016-04-30 1:10 GMT+08:00 <barry...@gmail.com <mailto:barry...@gmail.com>>:


    ipa-server-3.0.0-37.el6.x86_64  << here

    2016-04-29 19:36 GMT+08:00 Martin Basti <mba...@redhat.com
    <mailto:mba...@redhat.com>>:

        Please keep, user-list in CC

        You did not send all information I requested.

        Please use `rpm -ql ipa-server` to get exact version number


        On 29.04.2016 13:32, barry...@gmail.com
        <mailto:barry...@gmail.com> wrote:

        Error.is from Gss api And i m thinkbif it relate cert issue.

        Server1> server 2 fail
        Server 2   > server1 ok

        Freeipa 3.0  both

        slapd_ldap_sasl_interactive_bind - Error: could not perform
        interactive bind for id [] mech [GSSAPI]: LDAP error -2
        (Local error) (SASL(-1): generic failure: GSSAPI Error:
        Unspecified GSS failure.  Minor code may provide more
        information (Credentials cache file '/tmp/krb5cc_492' not
        found)) errno 0 (Success)
        [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could
        not perform interactive bind for id [] mech [GSSAPI]: error
        -2 (Local error)
        [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin -
        agmt="cn=meTocentral02.ABC.com
        <http://metocentral02.abc.com/>" (central02:389): Replication
        bind with GSSAPI auth failed: LDAP error -2 (Local error)
        (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
        failure. Minor code may provide more information (Credentials
        cache file '/tmp/krb5cc_492' not found))
        [26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on
        All Interfaces port 389 for LDAP requests
        [26/Apr/2016:18:40:19 +0800] - Listening on
        /var/run/slapd-ABC-COM.socket for LDAPI requests
        [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin -
        agmt="cn=meTocentral02.ABC.com
        <http://metocentral02.abc.com/>" (central02:389): Replication
        bind with GSSAPI auth resumed
        [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin -
        agmt="cn=meTocentral02.ABC.com
        <http://metocentral02.abc.com/>" (central02:389): Missing
        data encountered
        [26/Apr/2016:18:40:23 +0800]



        On 29.04.2016 13:02, barry...@gmail.com
        <mailto:barry...@gmail.com> wrote:
        Hi All:

        Any method can fall back the default ipa cert if I didn't
        backup orginal?

        Now the slapd and ipa cert storage quite a mess so they cant
        replicate even disabled nsslapd:security to off


        thx
        Barry


        Hello Barry,

        Can you provide more info?

        What is your IPA version, OS?
        What are the symptoms you are experiencing?
        What do you mean by default ipa cert ?
        Can you provide logs from replicas?
        Can you provide `getcert list` command output?
        Can you provide `ipactl status` from both server?

        Replication uses GSSAPI, at least on new IPA versions, I'm
        not sure if certificates are involved in this.

        Martin




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to