So, this problem is still causing me unable to install/build any
replica servers.

Eric


-----Original Message-----

Date: Tue, 13 Jun 2017 12:11:57 -0400
Subject: Re: [Freeipa-users] Re: replication problem
Cc: Mark Reynolds <marey...@redhat.com>, Rob Crittenden <rcritten@redha
t.com>
To: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.
org>
From: Eric Renfro <psi-j...@linux-help.org>
In my particular case, I'm not using the client installation prior to
the replica installation. Though I have tried that method as well,
resulting in the very same issues regardless.

I'm using this to do the installation currently:

ipa-replica-install --unattended \
    --no-ntp --mkhomedir --skip-conncheck \
    --ip-address ip.ad.re.ss \
    --principal admin \
    --admin-password "redacted" \
    --server ipa1.home.ld \
    --domain home.ld \
    --realm HOME.LD

I'm going to try once again with the client install (that part works),
then promoting that to a replica, using kinit to gain admin privileges
and thus omitting the principal, admin-password, domain and realm
options to the replica-install command.

Eric


-----Original Message-----

Date: Tue, 13 Jun 2017 11:55:26 -0400
Subject: [Freeipa-users] Re: replication problem
Cc: Eric Renfro <psi-j...@linux-help.org>, Mark Reynolds <mareynol@redh
at.com>, Rob Crittenden <rcrit...@redhat.com>
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Reply-to: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahoste
d.org>
Eric Renfro via FreeIPA-users wrote:
> Hmmm..
> 
> Well, in my case specifically, the failed ipa-replica-install does in
> fact have the nsslapd-rootpw entry, however, changing this in a
> recovery
> process does no good during an ipa-replica-install.

I think this is a red herring. The client promotion code happened after
my time but I seem to recall that some magic happens regarding the DM
password so it isn't required during the install. I'm pretty sure that
a
random one is set by the installer during initial configuration and at
the end it is replaced by the DM password in the master it is
replicating from.

So in other words it is expected to not match for some of the
installation.

rob

> Eric
> 
> -----Original Message-----
> 
> *Date*: Tue, 13 Jun 2017 10:51:13 -0400
> *Subject*: [Freeipa-users] Re: replication problem
> *Cc*: Eric Renfro <psi-j...@linux-help.org
> <mailto:eric%20renfro%20%3cpsi-j...@linux-help.org%3e>>, Adrian HY
> <ayeja...@gmail.com <mailto:adrian%20hy%20%3cayeja...@gmail.com%3e>>,
> Mark Reynolds <marey...@redhat.com
> <mailto:mark%20reynolds%20%3cmarey...@redhat.com%3e>>
> *To*: FreeIPA users list <freeipa-users@lists.fedorahosted.org
> <mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted.
> org%3e>>
> Reply-to: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> *From*: Mark Reynolds via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org
> <mailto:Mark%20Reynolds%20via%20FreeIPA-users%20%3cfreeipa-users@list
> s.fedorahosted.org%3e>>
> 
> 
> On 06/13/2017 10:34 AM, Eric Renfro via FreeIPA-users wrote:
> > Huh.. Well, who'da thunk it. I just literally reported the same
> > kind of
> > trouble I was having, which looks like it matches this same
> > situation,
> > with the ipa-replica-install failing to initiate replication
> > because of
> > Invalid password, because the password for some reason does not
> > seem to
> > be being set.
> 
> Sorry, replication does not use the Directory Manager account. 
> Typically some type of "replication manager" entry is used, and in
> IPA
> I'm pretty sure this account uses kerberos credentials (not a
> password).
> 
> Going back to the Directory Manager....   To confirm if the password
> is
> set, look in /etc/dirsv/slapd-INSTANCE/dse.ldif, and under cn=config
> look for "nsslapd-rootpw" if this attribute is missing then it truly
> is
> not set.  If your directory manager account does not have a password,
> or
> there is a password but you don't know what it is, then you can reset
> it
> following this doc:
> 
> http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.htm
> l
> <http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.ht
> ml>
> 
> > Eric
> > 
> > 
> > -----Original Message-----
> > 
> > Date: Tue, 13 Jun 2017 09:49:40 -0400
> > Subject: [Freeipa-users] Re: replication problem
> > Cc: FreeIPA users list <freeipa-users@lists.fedorahosted.org>,
> > Adrian
> > HY <ayeja...@gmail.com>
> > To: Mark Reynolds <marey...@redhat.com>
> > Reply-to: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> > From: Adrian HY via FreeIPA-users <freeipa-users@lists.fedorahosted
> > .org
> > Hi Mark, my problem is during the replica installation. I can't use
> > ldapmodify because cn=directory manager  does not have the password
> > assigned.
> > 
> > Regards.
> > 
> > On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <marey...@redhat.com
> > >
> > wrote:
> > > On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
> > > > I think I detected the problem. The error log in the replica
> > > > writes:
> > > > 
> > > > [11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet
> > > > length
> > > > exceeds maximum allowed limit (length=2483849, limit=2097152). 
> > > > Change the nsslapd-maxsasliosize attribute in cn=config to
> > > > increase
> > > > limit.
> > > > [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import
> > > > abandoned
> > > > 
> > > > According this: (https://access.redhat.com/documentation/en-US/
> > > > Red_
> > > > Hat_Directory_Server/8.2/pdf/Configuration_and_Command-
> > > > Line_Tool_Reference/Red_Hat_Directory_Server-8.2-
> > > > Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
> > > > 
> > > > "When an incoming SASL IO packet is larger than the nsslapd-
> > > > maxsasliosize limit, the server  immediately disconnects the
> > > > client
> > > > and logs a message to the error log, so that an administrator
> > > > can
> > > > adjust the setting if necessary"
> > > > 
> > > > The problem now is how can I change the value of the attribute
> > > > during replication.
> > > 
> > >  You just use ldapmodify to change the value on each replica:
> > > 
> > > # ldapmodify -D "cn=directory manager" -W
> > > dn: cn=config
> > > changetype: modify
> > > replace: nsslapd-maxsasliosize
> > > nsslapd-maxsasliosize:  YOUR_NEW_VALUE
> > > 
> > > > Regards.
> > > > 
> > > > On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY <ayeja...@gmail.com>
> > > > wrote:
> > > > > Hi folks, I had a problem with replication and I tried to add
> > > > > the
> > > > > slave back to the replica. The process stops in the initial
> > > > > replication phase.
> > > > > 
> > > > > The firewall and selinux are down and both servers are
> > > > > synchronized with the time.
> > > > > 
> > > > > Centos 7.3
> > > > > Freeipa 4.4.0-14
> > > > > 
> > > > > Master error log:
> > > > > 
> > > > > 11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin -
> > > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > > replica:389): Replication bind with GSSAPI auth failed: LDAP
> > > > > error 49 (Invalid credentials) ()
> > > > > [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > Warning: unable to acquire replica for total update, error:
> > > > > 49,
> > > > > retrying in 1 seconds.
> > > > > [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > > replica:389): Replication bind with GSSAPI auth resumed
> > > > > [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > Beginning total update of replica "agmt="cn=meTousuarios-
> > > > > replica.ipa.server.com" (usuarios-replica:389)".
> > > > > [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > > replica:389): Failed to send extended operation: LDAP error
> > > > > -1
> > > > > (Can't contact LDAP server)
> > > > > [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > > replica:389): Received error -1 (Can't contact LDAP
> > > > > server):  for
> > > > > total updat
> > > > > e operation
> > > > > [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > > replica:389): Warning: unable to send endReplication extended
> > > > > operation (Can'
> > > > > t contact LDAP server)
> > > > > [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > Total update failed for replica "agmt="cn=meTousuarios-
> > > > > replica.ipa.server.com" (usuarios-replica:389)", error (-11)
> > > > > [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > > replica:389): Replication bind with GSSAPI auth resumed
> > > > > [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > > replica:389): The remote replica has a different database
> > > > > generation ID than
> > > > > the local database.  You may have to reinitialize the remote
> > > > > replica, or the local replica.
> > > > > [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin
> > > > > -
> > > > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > > > replica:389): The remote replica has a different database
> > > > > generation ID than
> > > > > the local database.  You may have to reinitialize the remote
> > > > > replica, or the local replica.
> > > > > 
> > > > > Client ipareplica-install.log:
> > > > > 
> > > > > 2017-06-11T05:24:24Z DEBUG stderr=
> > > > > 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost
> > > > > [389]
> > > > > timeout 300
> > > > > 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from
> > > > > master
> > > > > [attempt 1/5]
> > > > > 2017-06-11T05:24:24Z DEBUG flushing
> > > > > ldap://usuarios.ipa.server.com:389 from SchemaCache
> > > > > 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
> > > > > url=ldap://usuarios.ipa.server.com:389
> > > > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0>
> > > > > 2017-06-11T05:24:24Z DEBUG Successfully updated
> > > > > nsDS5ReplicaId.
> > > > > 2017-06-11T05:24:24Z DEBUG flushing
> > > > > ldapi://%2fvar%2frun%2fslapd-
> > > > > IPA.SERVER.COM.socket from SchemaCache
> > > > > 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
> > > > > url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket
> > > > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440>
> > > > > 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last):
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/service.py", line 449, in
> > > > > start_creation
> > > > >     run_step(full_msg, method)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/service.py", line 439, in run_step
> > > > >     method()
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/dsinstance.py", line 416, in
> > > > > __setup_replica
> > > > >     repl.setup_promote_replication(self.master_fqdn)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/replication.py", line 1643, in
> > > > > setup_promote_replication
> > > > >     raise RuntimeError("Failed to start replication")
> > > > > RuntimeError: Failed to start replication
> > > > > 
> > > > > 2017-06-11T05:24:46Z DEBUG   [error] RuntimeError: Failed to
> > > > > start replication
> > > > > 2017-06-11T05:24:46Z DEBUG Destroyed connection
> > > > > context.ldap2_101192976
> > > > > 2017-06-11T05:24:46Z DEBUG   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/admintool.py", line 171, in execute
> > > > >     return_value = self.run()
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/cli.py", line 318, in run
> > > > >     cfgr.run()
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 310, in run
> > > > >     self.execute()
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 332, in execute
> > > > >     for nothing in self._executor():
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 372, in __runner
> > > > >     self._handle_exception(exc_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 394, in
> > > > > _handle_exception
> > > > >     six.reraise(*exc_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 362, in __runner
> > > > >     step()
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 359, in <lambda>
> > > > >     step = lambda: next(self.__gen)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/util.py", line 81, in
> > > > > run_generator_with_yield_from
> > > > >     six.reraise(*exc_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/util.py", line 59, in
> > > > > run_generator_with_yield_from
> > > > >     value = gen.send(prev_value)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 586, in _configure
> > > > >     next(executor)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 372, in __runner
> > > > >     self._handle_exception(exc_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 449, in
> > > > > _handle_exception
> > > > >     self.__parent._handle_exception(exc_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 394, in
> > > > > _handle_exception
> > > > >     six.reraise(*exc_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 446, in
> > > > > _handle_exception
> > > > >     super(ComponentBase, self)._handle_exception(exc_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 394, in
> > > > > _handle_exception
> > > > >     six.reraise(*exc_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 362, in __runner
> > > > >     step()
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/core.py", line 359, in <lambda>
> > > > >     step = lambda: next(self.__gen)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/util.py", line 81, in
> > > > > run_generator_with_yield_from
> > > > >     six.reraise(*exc_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/util.py", line 59, in
> > > > > run_generator_with_yield_from
> > > > >     value = gen.send(prev_value)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipapython/install/common.py", line 63, in _install
> > > > >     for nothing in self._installer(self.parent):
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/server/replicainstall.py", line
> > > > > 1722,
> > > > > in main
> > > > >     promote(self)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/server/replicainstall.py", line
> > > > > 372,
> > > > > in decorated
> > > > >     func(installer)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/server/replicainstall.py", line
> > > > > 1423,
> > > > > in promote
> > > > >     promote=True, pkcs12_info=dirsrv_pkcs12_info)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/server/replicainstall.py", line
> > > > > 135,
> > > > > in install_replica_ds
> > > > >     api=remote_api,
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/dsinstance.py", line 401, in
> > > > > create_replica
> > > > >     self.start_creation(runtime=60)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/service.py", line 449, in
> > > > > start_creation
> > > > >     run_step(full_msg, method)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/service.py", line 439, in run_step
> > > > >     method()
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/dsinstance.py", line 416, in
> > > > > __setup_replica
> > > > >     repl.setup_promote_replication(self.master_fqdn)
> > > > >   File "/usr/lib/python2.7/site-
> > > > > packages/ipaserver/install/replication.py", line 1643, in
> > > > > setup_promote_replication
> > > > >     raise RuntimeError("Failed to start replication")
> > > > > 
> > > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.
> > > > org
> > > > To unsubscribe send an email to freeipa-users-leave@lists.fedor
> > > > ahos
> > > > ted.org
> > > 
> > >  
> > > 
> > 
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahos
> > ted.
> > org
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahos
> > ted.org
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste
> d.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste
> d.org
> 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.
org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to