So, any idea how to fix the Kerberos problem?
* * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 12:19 PM, Bret Wortman <[email protected] > wrote: > ...and I got the web UI, authentication and sudo back via: > > # ipactl stop > # ipactl start > > Not sure why that worked, but it did. I was grasping at straws, honestly. > > > * > * > *Bret Wortman* > > http://damascusgrp.com/ > http://about.me/wortmanbret > > > On Mon, Aug 19, 2013 at 12:18 PM, Bret Wortman < > [email protected]> wrote: > >> Digging further, I think this log entry might be the problem between the >> two servers that aren't talking: >> >> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive >> bind for id[] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic >> failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Server ldap/[email protected] not found in Kerberos >> database)) errno 2 (No such file or directory) >> >> Did I build something incorrectly when that server was set up originally? >> >> >> >> * >> * >> *Bret Wortman* >> >> http://damascusgrp.com/ >> http://about.me/wortmanbret >> >> >> On Mon, Aug 19, 2013 at 12:02 PM, Bret Wortman < >> [email protected]> wrote: >> >>> I ran it on a good master, against a bad one. As in, I ran this command >>> on my master IPA node: >>> >>> # ipa-replica-manage del --force bad1.foo.net --cleanup >>> >>> Was that wrong? I was trying to delete the bad replica from the master, >>> so I figured the command needed to be run on the master. But again, my >>> master is now in a state where it's not resolving DNS, user logins, or sudo >>> at the very least. >>> >>> Oh, and I checked the node that it was complaining about earlier. The >>> network connection to it is the pits, but it's there. And it resolves. >>> >>> >>> * >>> * >>> *Bret Wortman* >>> >>> http://damascusgrp.com/ >>> http://about.me/wortmanbret >>> >>> >>> On Mon, Aug 19, 2013 at 11:58 AM, Rob Crittenden <[email protected]>wrote: >>> >>>> Rob Crittenden wrote: >>>> >>>>> Bret Wortman wrote: >>>>> >>>>>> Well, my master ground to a halt and wasn't responding. I rebooted the >>>>>> system and now I can't access the web UI or ssh to the master either. >>>>>> I >>>>>> have console access but that's it. >>>>>> >>>>>> The services all say they're running, but the web UI gives an "Unknown >>>>>> Error" dialog and ssh fails with "ssh_exchange_identification: >>>>>> Connection closed by remote host" whenever I try to ssh to ipamaster. >>>>>> I >>>>>> think something has gone really wrong inside my master. Any ideas? >>>>>> Even >>>>>> after the reboot, --cleanup isn't helping and just hangs. >>>>>> >>>>>> The logfiles end (as of the time I ^C'd the process) with: >>>>>> >>>>>> NSMMReplicationPlugin - agmt="cn=meTogood3.spx.net >>>>>> <http://meTogood3.spx.net>" (good3:389): Replication bind with GSSAPI >>>>>> auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: >>>>>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>>>>> information (Cannot determine realm for numeric host address)) >>>>>> NSMMReplicationPlugin - CleanAllRUV Task: Replica not online >>>>>> (agmt="cn=meTogood3.foo.net <http://meTogood3.foo.net>" (good3:389)) >>>>>> NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas online, >>>>>> retrying in 160 seconds..., >>>>>> >>>>>> So it looks like it's having trouble talking with one of my replicas >>>>>> and >>>>>> is doggedly trying to get the job done. Any idea how to get the master >>>>>> back working again while I troubleshoot this connectivity issue? >>>>>> >>>>> >>>>> That suggests a DNS problem, and it might explain ssh as well depending >>>>> on your configuration. >>>>> >>>> >>>> To be clear, you ran --cleanup against one of the bad masters, not a >>>> good one, right? >>>> >>>> rob >>>> >>>> >>> >> >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
