On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote:
On 19-10-17 15:07, Alexander Bokovoy wrote:
> On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote:
>> [...]
>> [18/Oct/2017:11:24:27 +0200] NSMMReplicationPlugin -
agmt="cn=meTolinge.ghs.nl" (linge:389): Replication bind with GSSAPI auth
resumed
>>
>> Again, I would really appreciate if someone could hint how to debug this.
>> For example, what commands can I use to check the connection (in both
directions)?
> My understanding is that if you get the last message ("Replication bind
> with GSSAPI auth resumed"), you don't need to worry about the ones
> above. An intermittent issue of expired ticket is OK, SASL GSSAPI
> mechanism in CyrusSASL will reacquire credentials again after few
> attempts. Technically these could be multiple times depending on how
> many threads are utilizing the same creds at the same time.
>
Thanks Alexander,
I'll let it run for a couple of days then and see how often this pops up.
I've checked the tickets as follows (from the Troubleshooting page [1]), and it looks
there nothing wrong with them.
# kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname --fqdn`
# klist
# ldapsearch -Y GSSAPI -h linge.ghs.nl -b "" -s base
# ldapsearch -Y GSSAPI -h rotte.ghs.nl -b "" -s base
The only noteworthy difference is this:
@@ -74,12 +75,12 @@
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.3.4.9 B2016.109.158
-dataversion: 020171016093621020171016093621
-netscapemdsuffix: cn=ldap://dc=linge,dc=ghs,dc=nl:389
-lastusn: 174571
+dataversion: 020171011071705020171011071705020171011071705
+netscapemdsuffix: cn=ldap://dc=rotte,dc=ghs,dc=nl:389
+lastusn: 8107596
changeLog: cn=changelog
-firstchangenumber: 25375
-lastchangenumber: 35897
+firstchangenumber: 2505058
+lastchangenumber: 2518477
ipatopologypluginversion: 1.0
ipatopologyismanaged: on
ipaDomainLevel: 1
The difference above is expected. In short, I don't see any
serious
issue.
--
/ Alexander Bokovoy