Yes; I verified that both forward and reverse DNS match on all nodes.
Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 [email protected] <mailto:[email protected]> www.4over.com <http://www.4over.com> On Mon, Apr 15, 2013 at 6:21 PM, Dmitri Pal <[email protected]> wrote: > On 04/15/2013 08:41 PM, Christian Hernandez wrote: > > Yup, looks like replication is broken =\ > > [[email protected] ipa]# ipa-replica-manage disconnect > ipa1.la3.4over.com > Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid > credentials SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context > > [[email protected] ipa]# ipa-replica-manage list ipa1.la3.4over.com > Failed to get data from 'ipa1.la3.4over.com': Invalid credentials > SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context > > [[email protected] ipa]# ipa-replica-manage list > ipa1.la3.4over.com: master > ipa1.gln.4over.com: master > ipa1.da2.4over.com: master > > > > Do the machines resolve each other correctly? > > > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > [email protected] <mailto:[email protected]> > www.4over.com <http://www.4over.com> > > > On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez <[email protected] > > wrote: > >> Okay, >> >> So I tried to update to the newest version. Update went okay and users >> can authenticate (as far as I can tell)... >> >> But I think may be replication broke? >> >> [[email protected] log]# ipa-replica-manage force-sync --from= >> ipa1.gln.4over.com >> Invalid password >> >> Any ideas? >> >> >> Thank you, >> >> Christian Hernandez >> 1225 Los Angeles Street >> Glendale, CA 91204 >> Phone: 877-782-2737 ext. 4566 >> Fax: 818-265-3152 >> [email protected] <mailto:[email protected]> >> www.4over.com <http://www.4over.com> >> >> >> On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek <[email protected]>wrote: >> >>> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: >>> > There are some odd errors in ldap_child.log but it seems to cover a >>> > later period than the other logs (not being able to bind using its >>> > keytab is a bad thing). >>> > >>> > I think what you'll want to do, and this may be relatively tough, is >>> > try to correlate these failures with the 389-ds access log and the >>> > KDC logs to see if there are equivalent failures at around the same >>> > times. >>> >>> I agree, the ldap_child failing usually indicates an issue with the >>> keytab and/or the KDC. The ldap_child functionality is roughly >>> equivalent to >>> "kinit -k". >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > > > _______________________________________________ > Freeipa-users mailing > [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
