We have observed the following situationreplication agreement between server1 
and server2 exists

ipa-replica-manage list server2>server1
However some of the users, hosts etc that are added on server1 are not making 
it to server2. 
In sssd/error logs I can see the following which looks relevant:
[27/Jul/2017:04:53:22.624847790 +0000] NSMMReplicationPlugin - 
agmt="cn=meToserver1" (server1:389): Unable to receive the response for a 
startReplication extended operation to consumer (Timed out). Will retry 
later.[27/Jul/2017:05:01:34.472586960 +0000] NSMMReplicationPlugin - 
agmt="cn=meToserver1" (server1:389): Unable to receive the response for a 
startReplication extended operation to consumer (Can't contact LDAP server). 
Will retry later.[29/Jul/2017:01:33:20.466840208 +0000] NSMMReplicationPlugin - 
agmt="cn=meToserver1" (server1:389): Replication bind with GSSAPI auth resumed
[29/Jul/2017:11:16:51.566360207 +0000] NSMMReplicationPlugin - 
agmt="cn=meToserver1" (server1:389): Replication bind with GSSAPI auth failed: 
LDAP error -1 (Can't contact LDAP server) ()[29/Jul/2017:11:17:00.664020018 
+0000] NSMMReplicationPlugin - agmt="cn=meToserver1" (server1:389): Replication 
bind with GSSAPI auth resumed[29/Jul/2017:11:17:01.106831731 +0000] 
NSMMReplicationPlugin - agmt="cn=meToserver1" (server1:389): The remote replica 
has a different database generation ID than the local database.  You may have 
to reinitialize the remote replica, or the local replica.
there are no known network issues between the two servers, and all ports are 
opened as confirmed by nmap.
I am also able to 
    ipa-replica-manage re-initialize --from server1 
which has the desired effect of updating server2's information.

in /var/log/messages I do see
Jul 31 03:18:08 server2 named-pkcs11[30962]: zone domain.com/IN: NS 'server1' 
has no address records (A or AAAA)Jul 31 11:41:52 server2 ns-slapd: 
[31/Jul/2017:11:41:52.408672378 +0000] NSMMReplicationPlugin - 
agmt="cn=meToserver1" (ipa-x1:389): Replication bind with GSSAPI auth failed: 
LDAP error -1 (Can't contact LDAP server) ()

in var/log/messages I see
Jul 31 03:18:08 server2 named-pkcs11[30962]: zone domain.com/IN: NS 
'server1.domain.com' has no address records (A or AAAA)Jul 31 03:18:08 server2 
named-pkcs11[30962]: zone domain.com/IN: not loaded due to errors.
Jul 31 03:18:08 server2 named-pkcs11[30962]: update_zone (syncrepl) failed for 
master zone DN 'idnsname=domain.com.,cn=dns,dc=company,dc=com'. Zones can be 
outdated, run `rndc reload`: bad zone
Jul 31 04:05:03 server2 named-pkcs11[30962]: error (network unreachable) 
resolving 'srv.external_dns.net/A/IN': 2a02:e180:8::1#53
Jul 31 11:40:05 server2 named-pkcs11[30962]: received control channel command 
'stop'
Jul 31 11:40:05 server2 named-pkcs11[30962]: shutting down: flushing changesJul 
31 11:40:05 server2 named-pkcs11[30962]: stopping command channel on ::1#953
Jul 31 11:40:05 server2 named-pkcs11[30962]: zone 23.34.34.-addr.arpa/IN: 
shutting down
so looks like some problem with IPA's dns server. Since server2 is it's own 
auth DNS server for freeipa domains it would make sense that it wouldn't be 
able to resolve the server1 ip address and replication would fail.
If you agree then what would be the steps to troubleshoot the DNS functionality 
problems above. 
PS:Another thing to note is that when I re-initialized the database from 
server1 DNS still wasn't working properly and I had to     ipactl restartto get 
it working.
thank you
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to