389-ds-base cannot handle new default DIR Kerberos cache and is causing IPA replica DS failing to authenticate and thus replica with IPA master.
389-ds-base errors log:
[14/May/2013:11:35:36 -0400] - Listening on All Interfaces port 636 for LDAPS requests [14/May/2013:11:35:36 -0400] - Listening on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests [14/May/2013:11:35:36 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [14/May/2013:11:35:36 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [14/May/2013:11:35:36 -0400] NSMMReplicationPlugin - agmt="cn=meTovm-037.idm.lab.bos.redhat.com" (vm-037:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [14/May/2013:11:35:39 -0400] set_krb5_creds - Could not get default Kerberos ccache: -1765328189 (No credentials cache found) [14/May/2013:11:35:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [14/May/2013:11:35:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [14/May/2013:11:35:45 -0400] set_krb5_creds - Could not get default Kerberos ccache: -1765328189 (No credentials cache found) [14/May/2013:11:35:45 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [14/May/2013:11:35:45 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
Putting KRB5CCNAME to /etc/sysconfig/dirsrv fixes the issue:
[14/May/2013:12:16:30 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [14/May/2013:12:16:30 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [14/May/2013:12:16:30 -0400] NSMMReplicationPlugin - agmt="cn=meTovm-037.idm.lab.bos.redhat.com" (vm-037:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [14/May/2013:12:16:38 -0400] NSMMReplicationPlugin - agmt="cn=meTovm-037.idm.lab.bos.redhat.com" (vm-037:389): Replication bind with GSSAPI auth resumed
attachment freeipa-mkosek-407-set-krb5ccname-so-that-dirsrv-can-work-with-newer-kr.patch
Patch freeipa-mkosek-407-set-krb5ccname-so-that-dirsrv-can-work-with-newer-kr.patch sent for review
master: ba89635 ipa-3-2: 0d4ec8e
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2.x - 2013/05 (bug fixing)
Login to comment on this ticket.