Hmmm..

Well, in my case specifically, the failed ipa-replica-install does in
fact have the nsslapd-rootpw entry, however, changing this in a
recovery process does no good during an ipa-replica-install.

Eric

-----Original Message-----

Date: Tue, 13 Jun 2017 10:51:13 -0400
Subject: [Freeipa-users] Re: replication problem
Cc: Eric Renfro <psi-j...@linux-help.org>, Adrian HY <ayeja...@gmail.co
m>, Mark Reynolds <marey...@redhat.com>
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Reply-to: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
From: Mark Reynolds via FreeIPA-users <freeipa-users@lists.fedorahosted
.org>

  
    
  
  
    

    

    On 06/13/2017 10:34 AM, Eric Renfro via
      FreeIPA-users wrote:

    

    
>       Huh.. Well, who'da thunk it. I just literally reported the same
> kind of
> trouble I was having, which looks like it matches this same
> situation,
> with the ipa-replica-install failing to initiate replication because
> of
> Invalid password, because the password for some reason does not seem
> to
> be being set.
>     

    Sorry, replication does not use the Directory Manager account. 
    Typically some type of "replication manager" entry is used, and in
    IPA I'm pretty sure this account uses kerberos credentials (not a
    password).

    

    Going back to the Directory Manager....   To confirm if the
password
    is set, look in /etc/dirsv/slapd-INSTANCE/dse.ldif, and under
    cn=config look for "nsslapd-rootpw" if this attribute is missing
    then it truly is not set.  If your directory manager account does
    not have a password, or there is a password but you don't know what
    it is, then you can reset it following this doc:

    

    http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.h
tml

    

    
>       
> Eric
> 
> 
> -----Original Message-----
> 
> Date: Tue, 13 Jun 2017 09:49:40 -0400
> Subject: [Freeipa-users] Re: replication problem
> Cc: FreeIPA users list <freeipa-users@lists.fedorahosted.org>, Adrian
> HY <ayeja...@gmail.com>
> To: Mark Reynolds <marey...@redhat.com>
> Reply-to: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> From: Adrian HY via FreeIPA-users <freeipa-users@lists.fedorahosted.o
> rg
> 
>       
> >         
> >       
> 
>       Hi Mark, my problem is during the replica installation. I can't
> use
> ldapmodify because cn=directory manager  does not have the password
> assigned.
> 
> Regards.
> 
> On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <marey...@redhat.com>
> wrote:
> 
>       
> >         On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
> > 
> >         
> > >           I think I detected the problem. The error log in the
> > > replica
> > > writes:
> > > 
> > > [11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet
> > > length
> > > exceeds maximum allowed limit (length=2483849, limit=2097152). 
> > > Change the nsslapd-maxsasliosize attribute in cn=config to
> > > increase
> > > limit.
> > > [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import
> > > abandoned
> > > 
> > > According this: (https://access.redhat.com/documentation/en-US/Re
> > > d_
> > > Hat_Directory_Server/8.2/pdf/Configuration_and_Command-
> > > Line_Tool_Reference/Red_Hat_Directory_Server-8.2-
> > > Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
> > > 
> > > "When an incoming SASL IO packet is larger than the nsslapd-
> > > maxsasliosize limit, the server  immediately disconnects the
> > > client
> > > and logs a message to the error log, so that an administrator can
> > > adjust the setting if necessary"
> > > 
> > > The problem now is how can I change the value of the attribute
> > > during replication.
> > > 
> > >         
> > 
> >          You just use ldapmodify to change the value on each
> > replica:
> > 
> > # ldapmodify -D "cn=directory manager" -W
> > dn: cn=config
> > changetype: modify
> > replace: nsslapd-maxsasliosize
> > nsslapd-maxsasliosize:  YOUR_NEW_VALUE
> > 
> > 
> >         
> > >           Regards.
> > > 
> > > On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY <ayeja...@gmail.com>
> > > wrote:
> > > 
> > >           
> > > >             Hi folks, I had a problem with replication and I
> > > > tried to add the
> > > > slave back to the replica. The process stops in the initial
> > > > replication phase.
> > > > 
> > > > The firewall and selinux are down and both servers are
> > > > synchronized with the time.
> > > > 
> > > > Centos 7.3
> > > > Freeipa 4.4.0-14
> > > > 
> > > > Master error log:
> > > > 
> > > > 11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin -
> > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > replica:389): Replication bind with GSSAPI auth failed: LDAP
> > > > error 49 (Invalid credentials) ()
> > > > [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin -
> > > > Warning: unable to acquire replica for total update, error: 49,
> > > > retrying in 1 seconds.
> > > > [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin -
> > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > replica:389): Replication bind with GSSAPI auth resumed
> > > > [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin -
> > > > Beginning total update of replica "agmt="cn=meTousuarios-
> > > > replica.ipa.server.com" (usuarios-replica:389)".
> > > > [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin -
> > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > replica:389): Failed to send extended operation: LDAP error -1
> > > > (Can't contact LDAP server)
> > > > [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin -
> > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > replica:389): Received error -1 (Can't contact LDAP server):
> > > >  for
> > > > total updat
> > > > e operation
> > > > [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin -
> > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > replica:389): Warning: unable to send endReplication extended
> > > > operation (Can'
> > > > t contact LDAP server)
> > > > [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin -
> > > > Total update failed for replica "agmt="cn=meTousuarios-
> > > > replica.ipa.server.com" (usuarios-replica:389)", error (-11)
> > > > [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin -
> > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > replica:389): Replication bind with GSSAPI auth resumed
> > > > [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin -
> > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > replica:389): The remote replica has a different database
> > > > generation ID than
> > > > the local database.  You may have to reinitialize the remote
> > > > replica, or the local replica.
> > > > [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin -
> > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > replica:389): The remote replica has a different database
> > > > generation ID than
> > > > the local database.  You may have to reinitialize the remote
> > > > replica, or the local replica.
> > > > 
> > > > Client ipareplica-install.log:
> > > > 
> > > > 2017-06-11T05:24:24Z DEBUG stderr=
> > > > 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389]
> > > > timeout 300
> > > > 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master
> > > > [attempt 1/5]
> > > > 2017-06-11T05:24:24Z DEBUG flushing
> > > > ldap://usuarios.ipa.server.com:389 from SchemaCache
> > > > 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
> > > > url=ldap://usuarios.ipa.server.com:389
> > > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0>
> > > > 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId.
> > > > 2017-06-11T05:24:24Z DEBUG flushing
> > > > ldapi://%2fvar%2frun%2fslapd-
> > > > IPA.SERVER.COM.socket from SchemaCache
> > > > 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
> > > > url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket
> > > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440>
> > > > 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last):
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/service.py", line 449, in
> > > > start_creation
> > > >     run_step(full_msg, method)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/service.py", line 439, in run_step
> > > >     method()
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/dsinstance.py", line 416, in
> > > > __setup_replica
> > > >     repl.setup_promote_replication(self.master_fqdn)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/replication.py", line 1643, in
> > > > setup_promote_replication
> > > >     raise RuntimeError("Failed to start replication")
> > > > RuntimeError: Failed to start replication
> > > > 
> > > > 2017-06-11T05:24:46Z DEBUG   [error] RuntimeError: Failed to
> > > > start replication
> > > > 2017-06-11T05:24:46Z DEBUG Destroyed connection
> > > > context.ldap2_101192976
> > > > 2017-06-11T05:24:46Z DEBUG   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/admintool.py", line 171, in execute
> > > >     return_value = self.run()
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/cli.py", line 318, in run
> > > >     cfgr.run()
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 310, in run
> > > >     self.execute()
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 332, in execute
> > > >     for nothing in self._executor():
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 372, in __runner
> > > >     self._handle_exception(exc_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 394, in
> > > > _handle_exception
> > > >     six.reraise(*exc_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 362, in __runner
> > > >     step()
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 359, in <lambda>
> > > >     step = lambda: next(self.__gen)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/util.py", line 81, in
> > > > run_generator_with_yield_from
> > > >     six.reraise(*exc_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/util.py", line 59, in
> > > > run_generator_with_yield_from
> > > >     value = gen.send(prev_value)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 586, in _configure
> > > >     next(executor)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 372, in __runner
> > > >     self._handle_exception(exc_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 449, in
> > > > _handle_exception
> > > >     self.__parent._handle_exception(exc_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 394, in
> > > > _handle_exception
> > > >     six.reraise(*exc_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 446, in
> > > > _handle_exception
> > > >     super(ComponentBase, self)._handle_exception(exc_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 394, in
> > > > _handle_exception
> > > >     six.reraise(*exc_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 362, in __runner
> > > >     step()
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/core.py", line 359, in <lambda>
> > > >     step = lambda: next(self.__gen)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/util.py", line 81, in
> > > > run_generator_with_yield_from
> > > >     six.reraise(*exc_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/util.py", line 59, in
> > > > run_generator_with_yield_from
> > > >     value = gen.send(prev_value)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipapython/install/common.py", line 63, in _install
> > > >     for nothing in self._installer(self.parent):
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/server/replicainstall.py", line
> > > > 1722,
> > > > in main
> > > >     promote(self)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/server/replicainstall.py", line 372,
> > > > in decorated
> > > >     func(installer)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/server/replicainstall.py", line
> > > > 1423,
> > > > in promote
> > > >     promote=True, pkcs12_info=dirsrv_pkcs12_info)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/server/replicainstall.py", line 135,
> > > > in install_replica_ds
> > > >     api=remote_api,
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/dsinstance.py", line 401, in
> > > > create_replica
> > > >     self.start_creation(runtime=60)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/service.py", line 449, in
> > > > start_creation
> > > >     run_step(full_msg, method)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/service.py", line 439, in run_step
> > > >     method()
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/dsinstance.py", line 416, in
> > > > __setup_replica
> > > >     repl.setup_promote_replication(self.master_fqdn)
> > > >   File "/usr/lib/python2.7/site-
> > > > packages/ipaserver/install/replication.py", line 1643, in
> > > > setup_promote_replication
> > > >     raise RuntimeError("Failed to start replication")
> > > > 
> > > > 
> > > > 
> > > >           
> > > 
> > >           
> > > 
> > > 
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-us...@lists.fedorahosted.or
> > > g
> > > To unsubscribe send an email to freeipa-users-leave@lists.fedorah
> > > os
> > > ted.org
> > > 
> > >         
> > 
> >          
> > 
> > 
> >       
> 
>       
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste
> d.
> org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste
> d.org
> 
>     

    

  

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.
org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to