Russell Jones via FreeIPA-users wrote: > Thanks, > > I ended up finding the issue from another mailing list post. ntpd was > not running on this host and the time got skewed too much from the other > masters. > > For what it's worth, the ipa-healthcheck script did not catch this > issue. Might be something to add?
It would be nice but syncing time can be quite slow and, AFAIK, there is no way in advance to know if there is a time source available. So check against what? rob > > On Fri, Jan 28, 2022 at 2:49 AM Florence Blanc-Renaud <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > you can find troubleshooting tips in > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/trouble-gen-replication > > HTH, > flo > > On Thu, Jan 27, 2022 at 6:54 PM Russell Jones via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > Hi all, > > I have a setup of 4 FreeIPA servers, version 4.6.5, all on CentOS 7. > > I've discovered that #4 is not syncing a new "video" group I > created, while the other 3 all have the group. > > When looking at dirsrv error log, I am seeing the following > after running an ipactl stop / ipactl start: > > [27/Jan/2022:11:35:55.158724429 -0600] - ERR - set_krb5_creds - > Could not get initial credentials for principal > [ldap/[email protected]] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [27/Jan/2022:11:35:55.169790450 -0600] - INFO - slapd_daemon - > slapd started. Listening on All Interfaces port 389 for LDAP > requests > [27/Jan/2022:11:35:55.173079823 -0600] - INFO - slapd_daemon - > Listening on All Interfaces port 636 for LDAPS requests > [27/Jan/2022:11:35:55.175096801 -0600] - INFO - slapd_daemon - > Listening on /var/run/slapd-US-EP-CORP-LOCAL.socket for LDAPI > requests > [27/Jan/2022:11:35:55.235218894 -0600] - ERR - > schema-compat-plugin - schema-compat-plugin tree scan will start > in about 5 seconds! > [27/Jan/2022:11:35:58.368835716 -0600] - ERR - > NSMMReplicationPlugin - bind_and_check_pwp - > agmt="cn=meTofreeipa.us.ep.corp.local" (freeipa:389) - > Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid > credentials) () > > > I am unsure what the issue is or how to resolve this. Could I > get some assistance with being pointed in the right direction? > > Thank you! > _______________________________________________ > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
