Ian Levesque wrote:
On Feb 7, 2012, at 3:39 PM, Rob Crittenden wrote:
<snip>
Strange. Is your 389-ds instance running? If so can you run this query:
ldapsearch -x -b 'cn=services,cn=accounts,dc=sbgrid,dc=org'
'(krbprincipalname=*sbgrid-directory*)'
I have the feeling that the principals for your IPA server have gone away.
Rather than post all the output, I filtered on the krbPrincipalName attribute.
Let me know if you want to see more:
dn: krbprincipalname=dogtagldap/[email protected],cn=servic
es,cn=accounts,dc=sbgrid,dc=org
krbPrincipalName: dogtagldap/[email protected]
dn: krbprincipalname=ldap/[email protected],cn=services,cn=
accounts,dc=sbgrid,dc=org
krbPrincipalName: ldap/[email protected]
dn: krbprincipalname=HTTP/[email protected],cn=services,cn=
accounts,dc=sbgrid,dc=org
krbPrincipalName: HTTP/[email protected]
Note that when removing a replica it is often necessary to restart its
replication partners because sometimes there are old tickets cached. I've never
seen a case where principals were actually removed though.
What version of IPA are you running, on what distro?
CentOS 6.2
ipa-server-2.1.3-9.el6.x86_64
389-ds-base-1.2.9.14-1.el6_2.2.x86_64
Thanks,
Ian
Ok, this looks good. Is the krb5kdc process running?
It is indeed:
[root@sbgrid-directory dirsrv]# kinit ian
Password for [email protected]:
[root@sbgrid-directory dirsrv]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
02/07/12 15:51:02 02/08/12 15:51:00 krbtgt/[email protected]
~irl
Hmm, very strange. It seems like your server is actually up and running
ok, am I reading this incorrectly?
Does your command-line work: ipa user-show admin
Perhaps those are just spurious errors in the errors log.
You might try re-creating the replica again. You've done a restart since
so it should have cleared the ticket cache.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
