Hi, We inadvertently created a replica on a VM that was scheduled to be powered-down.
This scheduling has since been stopped. Replication to it works - -sh-4.2$ ipa-replica-manage list -v ipa006.mgmt.prod.local.lan p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied ipa001.mgmt.prod.local.lan: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2017-05-30 19:47:21+00:00 ipa005.mgmt.prod.local.lan: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2017-05-30 19:47:21+00:00 ipa006.mgmt.nonprod.local.lan: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2017-05-30 19:47:21+00:00 ipa007.mgmt.prod.local.lan: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2017-05-30 19:47:21+00:00 ipa009.mgmt.prod.local.lan: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2017-05-30 19:47:21+00:00 But from it doesn't ... -sh-4.2$ ipa-replica-manage list -v ipa006.mgmt.nonprod.local.lan p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied ipa006.mgmt.prod.local.lan: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 -sh-4.2$ This is presumably because the DS keytab is invalid ... [root@ipa006 ~]# klist -kt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 25/04/17 11:59:54 ldap/ipa006.mgmt.nonprod.local....@local.lan 1 25/04/17 11:59:54 ldap/ipa006.mgmt.nonprod.local....@local.lan [root@ipa006 ~]# kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname` [root@ipa006 ~]# klist Ticket cache: KEYRING:persistent:1629600114:krb_ccache_MMFShL3 Default principal: ldap/ipa006.mgmt.nonprod.local....@local.lan Valid starting Expires Service principal 30/05/17 20:56:19 31/05/17 20:56:19 krbtgt/local....@local.lan [root@ipa006 ~]# ldapsearch -Y GSSAPI -h `hostname` -b "" -s base SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) [root@ipa006 ~]# ldapsearch -Y GSSAPI -h ipa006.mgmt.prod.local.lan -b "" -s base SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) [root@ipa006 ~]# [root@ipa006 ~]# kvno ldap/ipa006.mgmt.nonprod.local....@local.lan ldap/ipa006.mgmt.nonprod.local....@local.lan: kvno = 1 [root@ipa006 ~]# [31/May/2017:10:10:42.624019970 +0100] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa006.mgmt.nonprod.local....@local.lan] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [31/May/2017:10:10:42.626991209 +0100] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa006.mgmt.nonprod.local....@local.lan] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [31/May/2017:10:10:42.641172130 +0100] slapd started. Listening on All Interfaces port 389 for LDAP requests [31/May/2017:10:10:42.643809873 +0100] Listening on All Interfaces port 636 for LDAPS requests [31/May/2017:10:10:42.645563686 +0100] Listening on /var/run/slapd-LOCAL.LAN.socket for LDAPI requests [31/May/2017:10:10:42.649079604 +0100] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [31/May/2017:10:10:56.172281973 +0100] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=b428,dc=dvla,dc=gov,dc=uk [31/May/2017:10:10:56.195279906 +0100] schema-compat-plugin - Finished plugin initialization. [31/May/2017:10:11:00.165352662 +0100] NSMMReplicationPlugin - agmt="cn=ipa006.mgmt.nonprod.local.lan-to-ipa006.mgmt.prod.local.lan" (ipa006:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [31/May/2017:10:11:00.188136320 +0100] NSMMReplicationPlugin - agmt="cn=ipa006.mgmt.nonprod.local.lan-to-ipa006.mgmt.prod.local.lan" (ipa006:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [31/May/2017:10:11:06.083497332 +0100] slapd_poll(73) timed out Tried to update ds.keytab by editing /etc/krb5.conf and changing kdc, master_kdc and admin_server to a valid replica then restart ipa and ... [root@ipa006 ~]# kinit admin Password for ad...@local.lan: [root@ipa006 ~]# ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/`hostname` -s ipa006.mgmt.prod.local.lan Failed to parse result: PrincipalName not found. Retrying with pre-4.0 keytab retrieval method... Failed to parse result: PrincipalName not found. Failed to get keytab! Failed to get keytab [root@ipa006 ~]# Put everything back and try to delete the replica again... -sh-4.2$ ipa-replica-manage del ipa006.mgmt.nonprod.local.lan 'NoneType' object is not iterable IPA is V 4.4.0 Could someone please tell either how to fix the ds.keytab or delete the ipa006.mgmt.nonprod.local.lan replica. Many thanks Bob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org