[Pulp-list] Can't reinstate a replica from scratch after it was off for 6 months
Konstantin M. Khankin
khankin.konstantin at gmail.com
Sun Aug 9 05:21:16 UTC 2020
I'm sorry for spam. It's so hard to choose the right mailing list when it's
night already.
вс, 9 авг. 2020 г., 01:11 Konstantin M. Khankin <
khankin.konstantin at gmail.com>:
> Hi!
>
> I run IPA on CentOS 7. I have two servers (Leader and Replica, though they
> changed roles couple times because of reinstalls), had ca and domain
> services on both of them, replication set up and working. I had to switch
> off Replica for 6 months. When I turned it on recently, I found expired
> certificates, couldn't fix them easily and lost the old Replica - at least
> I concluded it was easier to reinstate the Replica than to detange the mess
> I made while was trying to back out of outdated certs. I hit the same error
> as I do now though - Invalid Credentials (49).
>
> So I did the following:
>
> 1) on Replica - ipa-server-install --uninstall.
> 2) on Leader - ipa-replica-manage del --force --clean Replica.
> 3) removed obsolete replication agreement meToReplica from Leader.
> 4) removed all traces of Replica from DNS.
>
> Then I started to install Replica from scratch:
>
> 1) ipa-client-install
> 2) ipa-replica-install --setup-ca --setup-dns --forwarder X --forwarder Y
>
> Installation consistently fails with:
>
> '''
> Run connection check to master
> Connection check OK
> Configuring directory server (dirsrv). Estimated time: 30 seconds
> <...>
> [29/42]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 16 seconds elapsed
> [ldap://Leader:389] reports: Update failed! Status: [Error (49) - LDAP
> error: Invalid credentials]
>
> [error] RuntimeError: Failed to start replication
> '''
>
> Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors:
>
> '''
> [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp -
> agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with GSSAPI
> auth failed: LDAP error 49 (Invalid credentials) ()
> """
>
> I verified clocks on both Replica and Leader - they show the same time
> (within 1-2 seconds diff window). In fact, at some point I had Replica
> taking time straight from Leader, before they were set up to use the other
> common source. I dumped tracffic between Leader and Replica - indeed,
> Leader tried to authenticate on Replica and Replica replies "Invalid
> credentials".
>
> I googled this error and read multiple email threads but nothing helped so
> far. Replica works fine as IPA client but can't get promoted to a replica.
>
> What am I missing?
>
> Thanks!
>
> --
> Khankin Konstantin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20200809/8331adb6/attachment.htm>
More information about the Pulp-list
mailing list