Re: [Freeipa-users] out of sync replicas

[Terry Soucy]

The ldap/serverB keytab was renewed with the ipa-getkeytab command, but not
put into place. Since the existing keytab in /etc/dirsrv/ds.keytab was no
longer valid, replication stopped. I've since exported it a couple more
times from each of the servers in an attempt to get it working again, but
none of the keytabs work. I can, however, auth to the kerberos server using
the latest keytab file using kinit -kt /etc/dirsrv/ds.keytab ldap/serverB.
I've verified permissions on the keytab file.

Now, when I attempt to start replication, it gives me this in the error log
...

[20/Nov/2013:16:29:40 -0400] set_krb5_creds - Could not get initial
credentials for principal [ldap/en5013.dev.ca1.sfmc...@sfmc.co] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328174 (Generic preauthentication
failure)
[20/Nov/2013:16:29:40 -0400] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_497' not found)) errno 0 (Success)
[20/Nov/2013:16:29:40 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[20/Nov/2013:16:29:40 -0400] NSMMReplicationPlugin - agmt="cn=
meTodv5002-en1.dev.ca1.sfmc.co" (dv5002-en1:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_497' not found))

Over and over and over again.  I can auth to the server with a standard
bind, but GSSAPI auth will not function.

I've even attempted to su to the dirsrv user and run a kinit using the
ds.keytab file and setting the cache to /tmp/krb5cc_497, but it just
compplains that the permissions on the cache credentials file are incorrect.

I've also attempted to remove the replica from the working server, but I
get an authentication error when it attempts to contact the non-functional
server ..

# ipa-replica-manage del en5013.dev.ca1.sfmc.co
Connection to 'en5013.dev.ca1.sfmc.co' failed: Invalid credentials
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
code may provide more information (Unknown error)
Unable to delete replica 'en5013.dev.ca1.sfmc.co'


Terry


On Wed, Nov 20, 2013 at 4:21 PM, Rob Crittenden  wrote:

> Terry Soucy wrote:
>
>> I have the keytab with the oldest version number shown in the kvno
>> command, but when I put that into place, I get no joy.
>>
>
> A lot more details are required. Did you change or renew the keytab? Did
> it suddenly stop working, and when?
>
> Logs? /var/log/dirsrv/slapd-REALM/error and access. /var/log/krb5kdc.log.
>
> rob
>
>
>> Terry
>>
>>
>> On Wed, Nov 20, 2013 at 4:05 PM, Terry Soucy > > wrote:
>>
>> The service principal ldap/serverB was exported but not put into
>> place at /etc/dirsrv/ds.keytab. Replication started failing, dns
>> couldn't connect, the work generally started coming to an end. I've
>> re-exported the service principal to a keytab file. If I export from
>> serverA using the ipa-getkeytab file, I get one version number. If I
>> export from server B, I get an older version number. When I use the
>> kvno command, I get an even older number.
>>
>> Terry
>>
>>
>> On Wed, Nov 20, 2013 at 3:56 PM, Rich Megginson > > wrote:
>>
>> On 11/20/2013 12:37 PM, Terry Soucy wrote:
>>
>>> I am currently having the following issue.
>>>
>>> Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a basic
>>> two server multimaster setup.
>>>
>>> Servers A is running fine, but Server B is out of sync. More
>>> specifically, the ldap service principal is out of sync
>>> between the two servers, which is leading to no replication,
>>> etc, etc. I need to sync the ldap/serverB service principal on
>>> Server A with the ldap/serverB service principal on Server B.
>>> Is there a way to do that, or am I looking at a re-init of
>>> server B?
>>>
>>
>> I'm not sure what you mean by "the ldap service principal is out
>> of sync between the two servers"?
>>
>>
>>> Terry
>>>
>>> --
>>> Terry Soucy - Systems Engineer
>>> Salesforce MarketingCloud - http://www.salesforce.com
>>> (o) 506.631.7445  (c) 506.609.3247
>>>  | (e) tso...@salesforce.com
>>> 
>>>
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com  
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>>
>>
>> --
>> Terry Soucy - Systems Engineer
>> Salesforce MarketingCloud - http

Re: [Freeipa-users] out of sync replicas

[Rob Crittenden]

Terry Soucy wrote:

I have the keytab with the oldest version number shown in the kvno
command, but when I put that into place, I get no joy.


A lot more details are required. Did you change or renew the keytab? Did 
it suddenly stop working, and when?


Logs? /var/log/dirsrv/slapd-REALM/error and access. /var/log/krb5kdc.log.

rob



Terry


On Wed, Nov 20, 2013 at 4:05 PM, Terry Soucy mailto:tso...@salesforce.com>> wrote:

The service principal ldap/serverB was exported but not put into
place at /etc/dirsrv/ds.keytab. Replication started failing, dns
couldn't connect, the work generally started coming to an end. I've
re-exported the service principal to a keytab file. If I export from
serverA using the ipa-getkeytab file, I get one version number. If I
export from server B, I get an older version number. When I use the
kvno command, I get an even older number.

Terry


On Wed, Nov 20, 2013 at 3:56 PM, Rich Megginson mailto:rmegg...@redhat.com>> wrote:

On 11/20/2013 12:37 PM, Terry Soucy wrote:

I am currently having the following issue.

Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a basic
two server multimaster setup.

Servers A is running fine, but Server B is out of sync. More
specifically, the ldap service principal is out of sync
between the two servers, which is leading to no replication,
etc, etc. I need to sync the ldap/serverB service principal on
Server A with the ldap/serverB service principal on Server B.
Is there a way to do that, or am I looking at a re-init of
server B?


I'm not sure what you mean by "the ldap service principal is out
of sync between the two servers"?



Terry

--
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445  (c) 506.609.3247
 | (e) tso...@salesforce.com



___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users





--
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445  (c) 506.609.3247
 | (e) tso...@salesforce.com





--
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] out of sync replicas

[Steven Jones]

Hi,

6.4 is a lot more stable than 6.3 so make an update a priority IMHO.

Not 100% sure what you mean but if they simply are out of sync then,

2 ways,

(make a full ldap2file backup first).

1) un-install IPA server on B, reboot and re-install on B.

2) You can force a re-sync at the command line, worth a shot.  Sometimes though 
this doesnt work and you need to do a huge clearing out.

I'd almost suggest blow away B, upgrade A to 6.4 and upgrade B to 6.4 and 
re-install on B.

I found loss of sync on 6.3 a common and frequent occurrence, IPA on 6.4 seems 
way better in just about every way.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ

6012

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Terry Soucy [tso...@salesforce.com]
Sent: Thursday, 21 November 2013 8:37 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] out of sync replicas

I am currently having the following issue.

Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a basic two server 
multimaster setup.

Servers A is running fine, but Server B is out of sync. More specifically, the 
ldap service principal is out of sync between the two servers, which is leading 
to no replication, etc, etc. I need to sync the ldap/serverB service principal 
on Server A with the ldap/serverB service principal on Server B. Is there a way 
to do that, or am I looking at a re-init of server B?

Terry

--
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445 (c) 506.609.3247 | (e) 
tso...@salesforce.com
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] out of sync replicas

[Rich Megginson]

On 11/20/2013 01:06 PM, Terry Soucy wrote:
I have the keytab with the oldest version number shown in the kvno 
command, but when I put that into place, I get no joy.


I don't know.  Perhaps someone with ipa kerberos expertise can help.



Terry


On Wed, Nov 20, 2013 at 4:05 PM, Terry Soucy > wrote:


The service principal ldap/serverB was exported but not put into
place at /etc/dirsrv/ds.keytab. Replication started failing, dns
couldn't connect, the work generally started coming to an end.
I've re-exported the service principal to a keytab file. If I
export from serverA using the ipa-getkeytab file, I get one
version number. If I export from server B, I get an older version
number. When I use the kvno command, I get an even older number.

Terry


On Wed, Nov 20, 2013 at 3:56 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 11/20/2013 12:37 PM, Terry Soucy wrote:

I am currently having the following issue.

Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a
basic two server multimaster setup.

Servers A is running fine, but Server B is out of sync. More
specifically, the ldap service principal is out of sync
between the two servers, which is leading to no replication,
etc, etc. I need to sync the ldap/serverB service principal
on Server A with the ldap/serverB service principal on Server
B. Is there a way to do that, or am I looking at a re-init of
server B?


I'm not sure what you mean by "the ldap service principal is
out of sync between the two servers"?



Terry

-- 
Terry Soucy - Systems Engineer

Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445  (c) 506.609.3247
 | (e) tso...@salesforce.com



___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users





-- 
Terry Soucy - Systems Engineer

Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445  (c) 506.609.3247
 | (e) tso...@salesforce.com





--
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com 



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] out of sync replicas

[Terry Soucy]

The service principal ldap/serverB was exported but not put into place at
/etc/dirsrv/ds.keytab. Replication started failing, dns couldn't connect,
the work generally started coming to an end. I've re-exported the service
principal to a keytab file. If I export from serverA using the
ipa-getkeytab file, I get one version number. If I export from server B, I
get an older version number. When I use the kvno command, I get an even
older number.

Terry


On Wed, Nov 20, 2013 at 3:56 PM, Rich Megginson  wrote:

>  On 11/20/2013 12:37 PM, Terry Soucy wrote:
>
> I am currently having the following issue.
>
>  Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a basic two
> server multimaster setup.
>
>  Servers A is running fine, but Server B is out of sync. More
> specifically, the ldap service principal is out of sync between the two
> servers, which is leading to no replication, etc, etc. I need to sync the
> ldap/serverB service principal on Server A with the ldap/serverB service
> principal on Server B. Is there a way to do that, or am I looking at a
> re-init of server B?
>
>
> I'm not sure what you mean by "the ldap service principal is out of sync
> between the two servers"?
>
>
>  Terry
>
>  --
> Terry Soucy - Systems Engineer
> Salesforce MarketingCloud - http://www.salesforce.com
> (o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>


-- 
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] out of sync replicas

[Terry Soucy]

I have the keytab with the oldest version number shown in the kvno command,
but when I put that into place, I get no joy.

Terry


On Wed, Nov 20, 2013 at 4:05 PM, Terry Soucy  wrote:

> The service principal ldap/serverB was exported but not put into place at
> /etc/dirsrv/ds.keytab. Replication started failing, dns couldn't connect,
> the work generally started coming to an end. I've re-exported the service
> principal to a keytab file. If I export from serverA using the
> ipa-getkeytab file, I get one version number. If I export from server B, I
> get an older version number. When I use the kvno command, I get an even
> older number.
>
> Terry
>
>
> On Wed, Nov 20, 2013 at 3:56 PM, Rich Megginson wrote:
>
>>  On 11/20/2013 12:37 PM, Terry Soucy wrote:
>>
>> I am currently having the following issue.
>>
>>  Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a basic two
>> server multimaster setup.
>>
>>  Servers A is running fine, but Server B is out of sync. More
>> specifically, the ldap service principal is out of sync between the two
>> servers, which is leading to no replication, etc, etc. I need to sync the
>> ldap/serverB service principal on Server A with the ldap/serverB service
>> principal on Server B. Is there a way to do that, or am I looking at a
>> re-init of server B?
>>
>>
>> I'm not sure what you mean by "the ldap service principal is out of sync
>> between the two servers"?
>>
>>
>>  Terry
>>
>>  --
>> Terry Soucy - Systems Engineer
>> Salesforce MarketingCloud - http://www.salesforce.com
>> (o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>
>
> --
> Terry Soucy - Systems Engineer
> Salesforce MarketingCloud - http://www.salesforce.com
> (o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com
>



-- 
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] out of sync replicas

[Rich Megginson]

On 11/20/2013 12:37 PM, Terry Soucy wrote:

I am currently having the following issue.

Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a basic two 
server multimaster setup.


Servers A is running fine, but Server B is out of sync. More 
specifically, the ldap service principal is out of sync between the 
two servers, which is leading to no replication, etc, etc. I need to 
sync the ldap/serverB service principal on Server A with the 
ldap/serverB service principal on Server B. Is there a way to do that, 
or am I looking at a re-init of server B?


I'm not sure what you mean by "the ldap service principal is out of sync 
between the two servers"?




Terry

--
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com 




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users