Re: [Freeipa-users] SASL(-13) authentication failure

2015-02-07 Thread Dmitri Pal 

On 02/07/2015 02:22 AM, Bryan Pearson wrote:
Okay, sorry for the messages. The original issue has been resolved, 
one of the servers time was off.


I am now having a problem similar to this: 
https://bugzilla.redhat.com/show_bug.cgi?id=953653. My logs indicate 
all the same issues.
With IPA 3.0.0 and Centos 6.6 is this still a viable solution to the 
problem?

Please start a new thread for a different question.
It seems that we were not able to reproduce it so it might be that the 
issue still there.

One of the problems can be the mismatch of the buffer sizes. See the bug.



Bryan

On Sat, Feb 7, 2015 at 12:17 AM, Bryan Pearson > wrote:


I did a bit more digging into the issue, and realized that the
ruv-id of ipa2 is different on only one of the servers of the 3. I
am imaging I will need to run clean-ruv on inconsistent node.

Bryan

On Fri, Feb 6, 2015 at 10:11 PM, Bryan Pearson
mailto:bwp.pear...@gmail.com>> wrote:

Hello,

My IPA servers are currently saying:

"Failed to get data from 'hostname.lan': Invalid credentials
SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context"

tail -f /var/log/dirsrv/slapd-HOSTNAME-LAN/errors

[06/Feb/2015:21:42:41 -0500] slapd_ldap_sasl_interactive_bind
- Error: could not perform interactive bind for id [] mech
[GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13):
authentication failure: GSSAPI Failure:
gss_accept_sec_context) errno 0 (Success)
[06/Feb/2015:21:42:41 -0500] slapi_ldap_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: error 49
(Invalid credentials)

We have 3 master replicas in operation. ipa2, ipa3, ipa4 and
ipa1 we are decommissioning. After losing the CA on 2 nodes,
we promoted ipa3 to master, and created a replica file, scped
it to ipa4, installed it, and on ipa4 created ipa2. Because of
design, 3 and 2 cant communicate with each other.

I just stopped dirsrv and pki-ca on ipa1, so its possible it
is creating issues.

I cant determine where the credentials or how to get them
changed as all the nodes are now having similar issues
replicating.

Bryan








--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SASL(-13) authentication failure

2015-02-07 Thread Bryan Pearson 
Okay, sorry for the messages. The original issue has been resolved, one of
the servers time was off.

I am now having a problem similar to this:
https://bugzilla.redhat.com/show_bug.cgi?id=953653. My logs indicate all
the same issues.
With IPA 3.0.0 and Centos 6.6 is this still a viable solution to the
problem?

Bryan

On Sat, Feb 7, 2015 at 12:17 AM, Bryan Pearson 
wrote:

> I did a bit more digging into the issue, and realized that the ruv-id of
> ipa2 is different on only one of the servers of the 3. I am imaging I will
> need to run clean-ruv on inconsistent node.
>
> Bryan
>
> On Fri, Feb 6, 2015 at 10:11 PM, Bryan Pearson 
> wrote:
>
>> Hello,
>>
>> My IPA servers are currently saying:
>>
>> "Failed to get data from 'hostname.lan': Invalid credentials SASL(-13):
>> authentication failure: GSSAPI Failure: gss_accept_sec_context"
>>
>> tail -f /var/log/dirsrv/slapd-HOSTNAME-LAN/errors
>>
>> [06/Feb/2015:21:42:41 -0500] slapd_ldap_sasl_interactive_bind - Error:
>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49
>> (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure:
>> gss_accept_sec_context) errno 0 (Success)
>> [06/Feb/2015:21:42:41 -0500] slapi_ldap_bind - Error: could not perform
>> interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)
>>
>> We have 3 master replicas in operation. ipa2, ipa3, ipa4 and ipa1 we are
>> decommissioning. After losing the CA on 2 nodes, we promoted ipa3 to
>> master, and created a replica file, scped it to ipa4, installed it, and on
>> ipa4 created ipa2. Because of design, 3 and 2 cant communicate with each
>> other.
>>
>> I just stopped dirsrv and pki-ca on ipa1, so its possible it is creating
>> issues.
>>
>> I cant determine where the credentials or how to get them changed as all
>> the nodes are now having similar issues replicating.
>>
>> Bryan
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SASL(-13) authentication failure

2015-02-06 Thread Bryan Pearson 
I did a bit more digging into the issue, and realized that the ruv-id of
ipa2 is different on only one of the servers of the 3. I am imaging I will
need to run clean-ruv on inconsistent node.

Bryan

On Fri, Feb 6, 2015 at 10:11 PM, Bryan Pearson 
wrote:

> Hello,
>
> My IPA servers are currently saying:
>
> "Failed to get data from 'hostname.lan': Invalid credentials SASL(-13):
> authentication failure: GSSAPI Failure: gss_accept_sec_context"
>
> tail -f /var/log/dirsrv/slapd-HOSTNAME-LAN/errors
>
> [06/Feb/2015:21:42:41 -0500] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49
> (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context) errno 0 (Success)
> [06/Feb/2015:21:42:41 -0500] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)
>
> We have 3 master replicas in operation. ipa2, ipa3, ipa4 and ipa1 we are
> decommissioning. After losing the CA on 2 nodes, we promoted ipa3 to
> master, and created a replica file, scped it to ipa4, installed it, and on
> ipa4 created ipa2. Because of design, 3 and 2 cant communicate with each
> other.
>
> I just stopped dirsrv and pki-ca on ipa1, so its possible it is creating
> issues.
>
> I cant determine where the credentials or how to get them changed as all
> the nodes are now having similar issues replicating.
>
> Bryan
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project