Hello Barry, Can you provide more info?
What is your IPA version, OS? CENTOS 6.5 server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64 server 2 - ipa-server-3.0.0-37.el6.x86_64 What are the symptoms you are experiencing? server1 's update not transfer to server 2 but server 2 can transfer to server 1 even cert expired What do you mean by default ipa cert ? if cert is issue then fall back to orginal not expire self sign cert. Can you provide logs from replicas? >From server 2 [09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)) errno 0 (Success) [09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) Can you provide `getcert list` command output? Serevr 1 - Number of certificates and requests being tracked: 0. < NO record Server 2- Number of certificates and requests being tracked: 3. Request ID '20140106083849': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ABC.COM subject: CN=central02.ABC.com,O=ABC.COM expires: 2015-12-19 06:40:44 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM track: yes auto-renew: yes Request ID '20140106083931': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ABC.COM subject: CN=central02.ABC.com,O=ABC.COM expires: 2015-12-19 06:40:46 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140106083944': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=ABC.COM subject: CN=IPA RA,O=ABC.COM expires: 2015-11-12 08:41:45 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Can you provide `ipactl status` from both server? Server1 - Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING Server 2 = Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING Now don't want any cert ,just GASSAPI work... Replication uses GSSAPI, at least on new IPA versions, I'm not sure if certificates are involved in this. Martin 2016-05-02 18:28 GMT+08:00 Martin Basti <mba...@redhat.com>: > Hello, > > Can you try to upgrade server to the same version? > > You did not provided all information I requested. > > Martin > > > On 29.04.2016 19:13, barry...@gmail.com wrote: > > server 1: > ipa-server-3.0.0-26.el6_4.4.x86_64 > > server2 > > ipa-server-3.0.0-37.el6.x86_64 > > 2016-04-30 1:10 GMT+08:00 <barry...@gmail.com>: > >> >> ipa-server-3.0.0-37.el6.x86_64 << here >> >> 2016-04-29 19:36 GMT+08:00 Martin Basti <mba...@redhat.com>: >> >>> Please keep, user-list in CC >>> >>> You did not send all information I requested. >>> >>> Please use `rpm -ql ipa-server` to get exact version number >>> >>> >>> On 29.04.2016 13:32, barry...@gmail.com wrote: >>> >>> Error.is from Gss api And i m thinkbif it relate cert issue. >>> >>> Server1> server 2 fail >>> Server 2 > server1 ok >>> >>> Freeipa 3.0 both >>> >>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive >>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): >>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >>> provide more information (Credentials cache file '/tmp/krb5cc_492' not >>> found)) errno 0 (Success) >>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn= >>> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor >>> code may provide more information (Credentials cache file '/tmp/krb5cc_492' >>> not found)) >>> [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [26/Apr/2016:18:40:19 +0800] - Listening on >>> /var/run/slapd-ABC-COM.socket for LDAPI requests >>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >>> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): >>> Replication bind with GSSAPI auth resumed >>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >>> meTocentral02.ABC.com <http://metocentral02.abc.com/>" (central02:389): >>> Missing data encountered >>> [26/Apr/2016:18:40:23 +0800] >>> >>> >>> On 29.04.2016 13:02, barry...@gmail.com wrote: >>> >>> Hi All: >>> >>> Any method can fall back the default ipa cert if I didn't backup orginal? >>> >>> Now the slapd and ipa cert storage quite a mess so they cant replicate >>> even disabled nsslapd:security to off >>> >>> >>> thx >>> Barry >>> >>> >>> Hello Barry, >>> >>> Can you provide more info? >>> >>> What is your IPA version, OS? >>> What are the symptoms you are experiencing? >>> What do you mean by default ipa cert ? >>> Can you provide logs from replicas? >>> Can you provide `getcert list` command output? >>> Can you provide `ipactl status` from both server? >>> >>> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if >>> certificates are involved in this. >>> >>> Martin >>> >>> >>> >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project