Hi there,
Seems I have to kinit every time in order to run ipa command, as a quick
fix!?
The client is ipa-client-4.5.0-22.0.1.el7_4.x86_64
Servers are ipa-server-4.4.0-12.0.1.el7.x86_64
This has started recently and I am not able to track any changes that
could cause this. This happens:
# kinit
# ipa -d -vv user-find bob
- get good results. Then run same command again.
# ipa -d -vv user-find bob
ipa: DEBUG: New HTTP connection (
ldap03.pls.com)
ipa: DEBUG: HTTP connection destroyed (
ldap03.pls.com)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 697, in
single_request
if not self._auth_complete(response):
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 657, in
_auth_complete
message=u"No valid Negotiate header in server response")
KerberosError: No valid Negotiate header in server response
ipa: ERROR: No valid Negotiate header in server response
[can provide more info if needed].
The kinit allows only next run to be successful.
I notice that problem occurs only with ldap03, ldap03 is called when
running ipa for the second time. And after kinit, another servers are
queried, not ldap03, hence no issue.
Another longer time 'fix' is in /etc/hosts, assigning IP (of another
server) to ldap03, basically "avoiding" ldap03.
Any idea for troubleshoot is appreciated. Thanks in advance!
--
Thanks,
Zarko