#3628 389-ds-base replication is broken on Fedora 19
Closed: Fixed None Opened 9 years ago by mkosek.

389-ds-base cannot handle new default DIR Kerberos cache and is causing IPA replica DS failing to authenticate and thus replica with IPA master.

389-ds-base errors log:

[14/May/2013:11:35:36 -0400] - Listening on All Interfaces port 636 for LDAPS requests
[14/May/2013:11:35:36 -0400] - Listening on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
[14/May/2013:11:35:36 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[14/May/2013:11:35:36 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[14/May/2013:11:35:36 -0400] NSMMReplicationPlugin - agmt="cn=meTovm-037.idm.lab.bos.redhat.com" (vm-037:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available))
[14/May/2013:11:35:39 -0400] set_krb5_creds - Could not get default Kerberos ccache: -1765328189 (No credentials cache found)
[14/May/2013:11:35:39 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[14/May/2013:11:35:39 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[14/May/2013:11:35:45 -0400] set_krb5_creds - Could not get default Kerberos ccache: -1765328189 (No credentials cache found)
[14/May/2013:11:35:45 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[14/May/2013:11:35:45 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)

Putting KRB5CCNAME to /etc/sysconfig/dirsrv fixes the issue:

[14/May/2013:12:16:30 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[14/May/2013:12:16:30 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[14/May/2013:12:16:30 -0400] NSMMReplicationPlugin - agmt="cn=meTovm-037.idm.lab.bos.redhat.com" (vm-037:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available))
[14/May/2013:12:16:38 -0400] NSMMReplicationPlugin - agmt="cn=meTovm-037.idm.lab.bos.redhat.com" (vm-037:389): Replication bind with GSSAPI auth resumed

Patch freeipa-mkosek-407-set-krb5ccname-so-that-dirsrv-can-work-with-newer-kr.patch sent for review

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.2.x - 2013/05 (bug fixing)

5 years ago

Login to comment on this ticket.

Metadata