Dear flo,
Thanks for the update.
The IPA services are probably stopped. Can you try # ipactl start --ignore-service-failures
That has I believe worked as desired and I can now kinit on the first server.
Cut and paste
# ipactl start --ignore-service-failures Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting ipa_memcached Service Starting httpd Service Failed to start httpd Service Forced start, ignoring httpd Service, continuing normal operation Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service ^Z [1]+ Stopped ipactl start --ignore-service-failures [root@freeipa01 sm]# bg [1]+ ipactl start --ignore-service-failures &
[root@freeipa01 sm]# kinit sm Password for sm@OUR_DOMAIN [root@freeipa01 sm]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: sm@OUR_DOMAIN
Valid starting Expires Service principal 09/09/20 14:29:14 10/09/20 14:29:08 krbtgt/OUR_DOMAIN@OUR_DOMAIN
Meanwhile in the background comes
Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Starting ipa-otpd Service ipa: INFO: The ipactl command was successful
[1]+ Done ipactl start --ignore-service-failures
# ldapsearch -H ldap://`hostname` -LLL -o ldif-wrap=no -D 'cn=Directory Manager' -W '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
This should return an entry dn which contains the name of the renewal master, for instance: dn: cn=CA,cn=hostname.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
That does indeed return our first server 01 as I hoped.
dn: cn=CA,cn=freeipa01... etc
Warning, if the replication got broken, the result may be different on other servers. Make sure all the nodes have the same view of who is CA renewal master.
I have checked on the other two production freeipa servers and all point to the first.
Once you identify the CA renewal master, the repair procedure needs to be applied on this node first.
Okay, so I think I need to book a repair slot as I assume our authentication will fail during the time travel.
Thanks
Best wishes
Stuart
freeipa-users@lists.fedorahosted.org