[Freeipa-users] IPA not authenticating - SSSD issue maybe
Rob Crittenden
rcritten at redhat.com
Tue Apr 16 02:15:40 UTC 2013
Christian Hernandez wrote:
> Looks like I've narrowed it down to...something...
>
> [root at ipa1.la3.4over.com <mailto:root at ipa1.la3.4over.com> ~]#
> ipa-replica-manage list ipa1.gln.4over.com <http://ipa1.gln.4over.com>
> Failed to get data from 'ipa1.gln.4over.com
> <http://ipa1.gln.4over.com>': Invalid credentials SASL(-13):
> authentication failure: GSSAPI Failure: gss_accept_sec_context
> [root at ipa1.la3.4over.com <mailto:root at ipa1.la3.4over.com> ~]#
> ipa-replica-manage list ipa1.da2.4over.com <http://ipa1.da2.4over.com>
> ipa1.gln.4over.com <http://ipa1.gln.4over.com>: replica
> ipa1.la3.4over.com <http://ipa1.la3.4over.com>: replica
> [root at ipa1.la3.4over.com <mailto:root at ipa1.la3.4over.com> ~]#
> ipa-replica-manage list $(hostname)
> ipa1.da2.4over.com <http://ipa1.da2.4over.com>: replica
> ipa1.gln.4over.com <http://ipa1.gln.4over.com>: replica
> [root at ipa1.la3.4over.com <mailto:root at ipa1.la3.4over.com> ~]# rpm -qa
> |egrep '389|ipa'
> ipa-admintools-3.0.0-26.el6_4.2.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-python-3.0.0-26.el6_4.2.x86_64
> libipa_hbac-python-1.9.2-82.4.el6_4.x86_64
> 389-ds-base-libs-1.2.11.15-12.el6_4.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
> libipa_hbac-1.9.2-82.4.el6_4.x86_64
> ipa-client-3.0.0-26.el6_4.2.x86_64
> 389-ds-base-1.2.11.15-12.el6_4.x86_64
> ipa-server-3.0.0-26.el6_4.2.x86_64
>
> Although when I try to remove the replication agreement...I can't =\
>
> [root at ipa1.la3.4over.com <mailto:root at ipa1.la3.4over.com> ~]#
> ipa-replica-manage disconnect $(hostname) ipa1.gln.4over.com
> <http://ipa1.gln.4over.com>
> Failed to get list of agreements from 'ipa1.gln.4over.com
> <http://ipa1.gln.4over.com>': Invalid credentials SASL(-13):
> authentication failure: GSSAPI Failure: gss_accept_sec_context
A couple of things to try:
- Check the KDC logs on the various hosts to see what error it is
logging trying to get a ticket.
- kdestroy and let ipa-replica-manage prompt you for the DM password, or
pass it via -p on the command-line
The first might tell you why you are seeing an auth failure, the second
should show the status of replication and let you run other commands.
I'm not sure that disconnecting is going to fix anything though. I'm not
sure what it is you're trying to do there.
rob
More information about the Freeipa-users
mailing list