Thanks. I'm actually trying to upgrade to 4.5, and I'm following instructions for migrating to new platform/OS, which involves preparing and then installing a replica on the new platform (which is IPA 4.5/fedora 26).
Anyway, I did manage to trace the encoding error to entries in LDAP that don't have a unique ID. Here's a gdb trace: Breakpoint 1, entry2bere (e=e@entry=0x7ff37517d8b0, excluded_attrs=excluded_attrs@entry=0x7ff37403b9a0) at ldap/servers/plugins/replication/repl5_total.c:244 (gdb) p *e $2 = {e_sdn = {flag = 6 '\006', udn = 0x0, dn = 0x7ff37517d9b0 "nsuniqueid=17105281-b68811e3-a4c3e04e-631dd285,fqdn=eda-cr18x.example.com +nsuniqueid=17105281-b68811e3-a4c3e04e-631dd285,cn=computers,cn=accounts,dc=example,dc=com", ndn = 0x7ff37517d600 "nsuniqueid=17105281-b68811e3-a4c3e04e-631dd285,fqdn=eda-cr18x.example.com +nsuniqueid=17105281-b68811e3-a4c3e04e-631dd285,cn=computers,cn=accounts,dc=example,dc=com", ndn_len = 179}, e_srdn = { flag = 0 '\000', rrdn = 0x7ff3751939c0 "nsuniqueid=17105281-b68811e3-a4c3e04e-631dd285,fqdn=eda-cr18x.example.com +nsuniqueid=17105281-b68811e3-a4c3e04e-631dd285", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7ff3751633e0, all_nrdns = 0x0}, e_uniqueid = 0x0, e_dncsnset = 0x7ff3751926b0, e_maxcsn = 0x7ff37517db30, e_attrs = 0x7ff375172340, e_deleted_attrs = 0x7ff3751934a0, e_virtual_attrs = 0x0, e_virtual_watermark = 0, e_virtual_lock = 0x7ff37517d970, e_extension = 0x7ff37514c920, e_flags = 1 '\001', e_aux_attrs = 0x0} Note that `e_uniqueid` is NULL. Also, I have deleted the `eda-cr18x` host long ago, and can't find it through any ldapsearch. I just don't know where it's coming from. On Thu, Nov 9, 2017 at 12:41 Felipe Barreto <fbarr...@redhat.com> wrote: > Hello, > > freeIPA 3.x is no longer supported, you need to update it. > The same to Fedora. > > On 11/09/2017 01:38 PM, Nevada Sanchez via FreeIPA-users wrote: > > I've been trying to set up a replica for a FreeIPA server (3.3.5 on > > Fedora 19) and am running into what appears to be an encoding issue on > > the server as it tries to deliver data to the replica. It is line 9 > below: > > > > [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=7 > > repl="dc=example,dc=com": Acquired replica > > [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=7 > > repl="dc=example,dc=com": StartNSDS90ReplicationRequest: response=0 rc=0 > > [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=7 > > Relinquishing consumer connection extension > > [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=8 > > Acquired consumer connection extension > > [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=8 > > repl="dc=example,dc=com": Released replica held by > > locking_purl=conn=1275 id=7 > > [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=8 > > Relinquishing consumer connection extension > > [09/Nov/2017:12:34:09 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): Replica was > > successfully acquired. > > [09/Nov/2017:12:34:09 +0000] NSMMReplicationPlugin - Beginning total > > update of replica "agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389)". > > *[09/Nov/2017:12:34:09 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): send_entry: > > Encoding Error* > > [09/Nov/2017:12:34:09 +0000] - repl5_tot_waitfor_async_results: 400 403 > > [09/Nov/2017:12:34:10 +0000] - repl5_tot_waitfor_async_results: 403 403 > > [09/Nov/2017:12:34:11 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): Successfully > > released consumer > > [09/Nov/2017:12:34:11 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): Beginning > > linger on the connection > > *[09/Nov/2017:12:34:11 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): repl5_tot_run: > > failed to obtain data to send to the consumer; LDAP error - -1* > > [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): Cancelling > > linger on the connection > > [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): Disconnected > > from the consumer > > [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): State: start -> > > ready_to_acquire_replica > > [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): Trying > > non-secure slapi_ldap_init_ext > > [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): binddn = , > > passwd = > > [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - > > agmt="cn=meToipa-replica.example.com > > <http://meToipa-replica.example.com>" (ipa-replica:389): No linger to > > cancel on the connection > > > > I've traced this to the `repl5_tot_run` in the 389 source code and the > > logs indicate that it makes it through acquiring the replica, but fails > > on the `slapi_search_internal_callback_pb` call which seems like it's > > supposed to transmit data to the replica. Continuing through the source, > > it seems like the Encoding error is the key since the `slapi_search` > > calls `send_entry` to encode the LDAP transaction and the `entry2bere` > > function must be unhappy with something it's receiving. > > > > Any ideas on what could be causing this? Is there a rogue data entry in > > my directory that's hitting a corner case of the encoder? > > > > I've attached replica logs below for further context, though I'm > > currently thinking the problem is master side. The "LDAP error: Can't > > contact LDAP server" you see below is actually what the ipa master put > > into 'nsds5ReplicaLastInitStatus' attribute of the replica agreement and > > I've confirmed ldapsearch (389 and 636) are both happy going either way. > > > > Connection check OK > > Adding [10.0.3.78 ipa-replica.example.com > > <http://ipa-replica.example.com>] to your /etc/hosts file > > Configuring NTP daemon (ntpd) > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > Done configuring NTP daemon (ntpd). > > Configuring directory server (dirsrv). Estimated time: 1 minute > > [1/42]: creating directory server user > > [2/42]: creating directory server instance > > [3/42]: updating configuration in dse.ldif > > [4/42]: restarting directory server > > [5/42]: adding default schema > > [6/42]: enabling memberof plugin > > [7/42]: enabling winsync plugin > > [8/42]: configuring replication version plugin > > [9/42]: enabling IPA enrollment plugin > > [10/42]: enabling ldapi > > [11/42]: configuring uniqueness plugin > > [12/42]: configuring uuid plugin > > [13/42]: configuring modrdn plugin > > [14/42]: configuring DNS plugin > > [15/42]: enabling entryUSN plugin > > [16/42]: configuring lockout plugin > > [17/42]: configuring topology plugin > > [18/42]: creating indices > > [19/42]: enabling referential integrity plugin > > [20/42]: configuring ssl for ds instance > > [21/42]: configuring certmap.conf > > [22/42]: configure autobind for root > > [23/42]: configure new location for managed entries > > [24/42]: configure dirsrv ccache > > [25/42]: enabling SASL mapping fallback > > [26/42]: restarting directory server > > [27/42]: setting up initial replication > > Starting replication, please wait until this has completed. > > Update in progress, 5 seconds elapsed > > [ipa.example.com <http://ipa.example.com>] reports: Update failed! > > Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] > > > > [error] RuntimeError: Failed to start replication > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to > > start replication > > ipa.ipapython.install.cli.install_tool(Replica): ERROR The > > ipa-replica-install command failed. See /var/log/ipareplica-install.log > > for more information > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org