Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
On Tue, 2012-05-08 at 12:20 -0700, David Copperfield wrote: > HI Simo and all, > > > Thanks for your reply. > > > do you mean restarting ipa service on ipa master like 'service ipa > restart'? or run 'kdestroy' on ipamaster to remove kerberos tickets? > It will be great if you could elaborate on this: like which IPA > replica Kerberos principal, replica Kerberos tickets are involved, and > where they are stored. I meant service ipa restart The ccache involved is a memory ccache that lives in the ns-slapd process, so it can only be cleared with a restart for now. I am opening a ticket to try to handle that automatically in 389ds, but for now you have to go that route. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
HI Simo and all, Thanks for your reply. do you mean restarting ipa service on ipa master like 'service ipa restart'? or run 'kdestroy' on ipamaster to remove kerberos tickets? It will be great if you could elaborate on this: like which IPA replica Kerberos principal, replica Kerberos tickets are involved, and where they are stored. Thanks. --David - From: Simo Sorce To: David Copperfield Cc: "freeipa-users@redhat.com" Sent: Tuesday, May 8, 2012 6:08 AM Subject: Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error. On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote: > I have a IPA replica server with disk problems, and then it is > reimaged and rebuild. But when the IPA replica function is rebuilt, it > reports the following problem: > > > [root@ipareplica02 ipa]# ipa-replica-install > --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg > > ... > [21/29]: setting up initial replication > Starting replication, please wait until this has completed. > [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP > error: Invalid credentials] > ... > > > Before I run the replica rebuilding step on IPA replica, I already run > 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, > and delete the host entry for ipareplica02 as well. > > > Did I missed any steps above? Please help. Thanks. Due to the way kerberos ticket are built you need to restart the master this replica was replicating to before you rebuild a replica with the exact same name. This is because krb tickets are cached but you will change the long term key with a full reinstall, so the current master will have a ticket the replica cannot decrypt. Simo. -- Simo Sorce * Red Hat, Inc * New York___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
Simo Sorce wrote: On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote: I have a IPA replica server with disk problems, and then it is reimaged and rebuild. But when the IPA replica function is rebuilt, it reports the following problem: [root@ipareplica02 ipa]# ipa-replica-install --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg ... [21/29]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP error: Invalid credentials] ... Before I run the replica rebuilding step on IPA replica, I already run 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, and delete the host entry for ipareplica02 as well. Did I missed any steps above? Please help. Thanks. Due to the way kerberos ticket are built you need to restart the master this replica was replicating to before you rebuild a replica with the exact same name. This is because krb tickets are cached but you will change the long term key with a full reinstall, so the current master will have a ticket the replica cannot decrypt. Simo. The connect/disconnect commands for ipa-replica-manage are used to manage the replication agreements between masters. To completely remove a master you want the delete command. We improved the man page documentation of this a bit in the 2.2. release. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote: > I have a IPA replica server with disk problems, and then it is > reimaged and rebuild. But when the IPA replica function is rebuilt, it > reports the following problem: > > > [root@ipareplica02 ipa]# ipa-replica-install > --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg > > ... > [21/29]: setting up initial replication > Starting replication, please wait until this has completed. > [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP > error: Invalid credentials] > ... > > > Before I run the replica rebuilding step on IPA replica, I already run > 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, > and delete the host entry for ipareplica02 as well. > > > Did I missed any steps above? Please help. Thanks. Due to the way kerberos ticket are built you need to restart the master this replica was replicating to before you rebuild a replica with the exact same name. This is because krb tickets are cached but you will change the long term key with a full reinstall, so the current master will have a ticket the replica cannot decrypt. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
Temporarily fixed by myself. -- remove replica ipareplica02 by FORCE again and
again on IPA master, until the replica doesn't show up when run
'ipa-replica-manage list'.
Could some one at Redhat IPA project please give a step-by-step how to remove a
IPA replica, and how to add it back -- reimage and rebuild --. Thanks.
[root@ipamaster .ssh]# ipa-replica-manage list
ipareplica01.example.com: master
ipareplica02.example.com: master
ipamaster.example.com: master
[root@ipamaster .ssh]#
[root@ipamaster .ssh]# ipa-replica-manage del ipareplica02.example.com --force
Unable to connect to replica ipareplica02.example.com, forcing removal
'ipamaster.example.com' has no replication agreement for
'ipareplica02.example.com'
'ipareplica01.example.com' has no replication agreement for
'ipareplica02.example.com'
[root@ipamaster .ssh]# ipa-replica-manage list
ipareplica01.example.com: master
ipamaster.example.com: master
[root@ipamaster .ssh]#
--David
From: David Copperfield
To: "freeipa-users@redhat.com" ; "d...@redhat.com"
; E Deon Lackey
Sent: Monday, May 7, 2012 8:41 PM
Subject: Re: IPA replica server rebuilding failed with 'Invalid credentials'
error.
Debug output is attached as well.
root : DEBUG [21/29]: setting up initial replication
[21/29]: setting up initial replication
root : DEBUG args=/sbin/service dirsrv restart JIGSAW-COM
root : DEBUG stdout=Shutting down dirsrv:
JIGSAW-COM... [ OK ]
Starting dirsrv:
JIGSAW-COM... [ OK ]
root : DEBUG stderr=
Starting replication, please wait until this has completed.
[ipamaster.qe9.jigsaw.com] reports: Update failed! Status: [49 - LDAP error:
Invalid credentials]
creation of replica failed: Failed to start replication
root : DEBUG Failed to start replication
File "/usr/sbin/ipa-replica-install", line 482, in
main()
File "/usr/sbin/ipa-replica-install", line 433, in main
ds = install_replica_ds(config)
File "/usr/sbin/ipa-replica-install", line 135, in install_replica_ds
pkcs12_info)
File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line
284, in create_replica
self.start_creation("Configuring directory server", 60)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
248, in start_creation
method()
File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line
297, in __setup_replica
r_bindpw=self.dm_password)
File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py",
line 694, in setup_replication
raise RuntimeError("Failed to start replication")
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
--Guolin
From: David Copperfield
To: "freeipa-users@redhat.com"
Sent: Monday, May 7, 2012 8:38 PM
Subject: IPA replica server rebuilding failed with 'Invalid credentials' error.
I have a IPA replica server with disk problems, and then it is reimaged and
rebuild. But when the IPA replica function is rebuilt, it reports the following
problem:
[root@ipareplica02 ipa]# ipa-replica-install --no-ntp
/var/lib/ipa/replica-info-ipareplica02.example.com.gpg
...
[21/29]: setting up initial replication
Starting replication, please wait until this has completed.
[ipamaster.example.com] reports: Update failed! Status: [49 - LDAP error:
Invalid credentials]
...
Before I run the replica rebuilding step on IPA replica, I already run
'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, and delete
the host entry for ipareplica02 as well.
Did I missed any steps above? Please help. Thanks.
--David___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
Debug output is attached as well.
root : DEBUG [21/29]: setting up initial replication
[21/29]: setting up initial replication
root : DEBUG args=/sbin/service dirsrv restart JIGSAW-COM
root : DEBUG stdout=Shutting down dirsrv:
JIGSAW-COM... [ OK ]
Starting dirsrv:
JIGSAW-COM... [ OK ]
root : DEBUG stderr=
Starting replication, please wait until this has completed.
[ipamaster.qe9.jigsaw.com] reports: Update failed! Status: [49 - LDAP error:
Invalid credentials]
creation of replica failed: Failed to start replication
root : DEBUG Failed to start replication
File "/usr/sbin/ipa-replica-install", line 482, in
main()
File "/usr/sbin/ipa-replica-install", line 433, in main
ds = install_replica_ds(config)
File "/usr/sbin/ipa-replica-install", line 135, in install_replica_ds
pkcs12_info)
File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line
284, in create_replica
self.start_creation("Configuring directory server", 60)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
248, in start_creation
method()
File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line
297, in __setup_replica
r_bindpw=self.dm_password)
File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py",
line 694, in setup_replication
raise RuntimeError("Failed to start replication")
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
--Guolin
From: David Copperfield
To: "freeipa-users@redhat.com"
Sent: Monday, May 7, 2012 8:38 PM
Subject: IPA replica server rebuilding failed with 'Invalid credentials' error.
I have a IPA replica server with disk problems, and then it is reimaged and
rebuild. But when the IPA replica function is rebuilt, it reports the following
problem:
[root@ipareplica02 ipa]# ipa-replica-install --no-ntp
/var/lib/ipa/replica-info-ipareplica02.example.com.gpg
...
[21/29]: setting up initial replication
Starting replication, please wait until this has completed.
[ipamaster.example.com] reports: Update failed! Status: [49 - LDAP error:
Invalid credentials]
...
Before I run the replica rebuilding step on IPA replica, I already run
'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, and delete
the host entry for ipareplica02 as well.
Did I missed any steps above? Please help. Thanks.
--David___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
