On Feb 7, 2012, at 3:39 PM, Rob Crittenden wrote: >>> <snip> >>> Strange. Is your 389-ds instance running? If so can you run this query: >>> >>> ldapsearch -x -b 'cn=services,cn=accounts,dc=sbgrid,dc=org' >>> '(krbprincipalname=*sbgrid-directory*)' >>> >>> I have the feeling that the principals for your IPA server have gone away. >> >> Rather than post all the output, I filtered on the krbPrincipalName >> attribute. Let me know if you want to see more: >> >> dn: >> krbprincipalname=dogtagldap/[email protected],cn=servic >> es,cn=accounts,dc=sbgrid,dc=org >> krbPrincipalName: dogtagldap/[email protected] >> >> dn: >> krbprincipalname=ldap/[email protected],cn=services,cn= >> accounts,dc=sbgrid,dc=org >> krbPrincipalName: ldap/[email protected] >> >> dn: >> krbprincipalname=HTTP/[email protected],cn=services,cn= >> accounts,dc=sbgrid,dc=org >> krbPrincipalName: HTTP/[email protected] >> >> >> >>> Note that when removing a replica it is often necessary to restart its >>> replication partners because sometimes there are old tickets cached. I've >>> never seen a case where principals were actually removed though. >>> >>> What version of IPA are you running, on what distro? >> >> >> CentOS 6.2 >> ipa-server-2.1.3-9.el6.x86_64 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> Thanks, >> Ian > > Ok, this looks good. Is the krb5kdc process running?
It is indeed: [root@sbgrid-directory dirsrv]# kinit ian Password for [email protected]: [root@sbgrid-directory dirsrv]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 02/07/12 15:51:02 02/08/12 15:51:00 krbtgt/[email protected] ~irl _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
