I'm sorry for spam. It's so hard to choose the right mailing list when it's night already.
вс, 9 авг. 2020 г., 01:11 Konstantin M. Khankin < [email protected]>: > Hi! > > I run IPA on CentOS 7. I have two servers (Leader and Replica, though they > changed roles couple times because of reinstalls), had ca and domain > services on both of them, replication set up and working. I had to switch > off Replica for 6 months. When I turned it on recently, I found expired > certificates, couldn't fix them easily and lost the old Replica - at least > I concluded it was easier to reinstate the Replica than to detange the mess > I made while was trying to back out of outdated certs. I hit the same error > as I do now though - Invalid Credentials (49). > > So I did the following: > > 1) on Replica - ipa-server-install --uninstall. > 2) on Leader - ipa-replica-manage del --force --clean Replica. > 3) removed obsolete replication agreement meToReplica from Leader. > 4) removed all traces of Replica from DNS. > > Then I started to install Replica from scratch: > > 1) ipa-client-install > 2) ipa-replica-install --setup-ca --setup-dns --forwarder X --forwarder Y > > Installation consistently fails with: > > ''' > Run connection check to master > Connection check OK > Configuring directory server (dirsrv). Estimated time: 30 seconds > <...> > [29/42]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 16 seconds elapsed > [ldap://Leader:389] reports: Update failed! Status: [Error (49) - LDAP > error: Invalid credentials] > > [error] RuntimeError: Failed to start replication > ''' > > Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors: > > ''' > [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - > agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with GSSAPI > auth failed: LDAP error 49 (Invalid credentials) () > """ > > I verified clocks on both Replica and Leader - they show the same time > (within 1-2 seconds diff window). In fact, at some point I had Replica > taking time straight from Leader, before they were set up to use the other > common source. I dumped tracffic between Leader and Replica - indeed, > Leader tried to authenticate on Replica and Replica replies "Invalid > credentials". > > I googled this error and read multiple email threads but nothing helped so > far. Replica works fine as IPA client but can't get promoted to a replica. > > What am I missing? > > Thanks! > > -- > Khankin Konstantin >
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
