On Mon, Jun 21, 2021, at 11:02 AM, Bret Wortman via FreeIPA-users wrote:
> On Mon, Jun 21, 2021, at 10:55 AM, Rob Crittenden wrote:
> > Bret Wortman via FreeIPA-users wrote:
> > > On Mon, Jun 21, 2021, at 9:03 AM, Bret Wortman via FreeIPA-users wrote:
> > >> On Fri, Jun 18, 2021, at 1:32 PM, Rob Crittenden wrote:
> > >>> Awesome, glad to hear it. When you complete the migration don't forget
> > >>> to move over the DNA settings, CRL generation and other stuff.
> > >>
> > >> Is this documented somewhere? I'd hate to miss a step.
> > >
> > > Also, my new host, ipa2, is claiming to already have a replication
> > > agreement with ipa2c7 but I'm not seeing it:
> > >
> > > [root@ipa2c7 ~]# ipa-replica-manage list
> > > ipa1.our.net: master
> > > ipa2c7.our.net: master
> > > [root@ipa2c7 ~]# ipa-replica-manage list-ruv
> > > Directory Manager password:
> > >
> > > unable to decode: {replica 13} 60b907570001000d0000 60b907570001000d0000
> > > unable to decode: {replica 14} 60b923030002000e0000 60b923030002000e0000
> > > unable to decode: {replica 21} 60cb27ed000600150000 60cb27ed000600150000
> > > unable to decode: {replica 24} 60cc5b11000400180000 60cc5b11000400180000
> > > unable to decode: {replica 17} 60be13a5000000110000 60be13c9000700110000
> > > unable to decode: {replica 18} 60bf4aec000000120000 60c07065000200120000
> > > unable to decode: {replica 5}
> > > Replica Update Vectors:
> > > ipa2c7.our.net:389: 26
> > > ipa1.our.net:389: 4
> > > Certificate Server Replica Update Vectors:
> > > ipa2c7.our.net:389: 91
> > > ipa1.our.net:389: 96
> > > [root@ipa2c7 ~]#
> > >
> > > Could it be one of those "unable to decode" replicas and if so how do I
> > > get rid of those?
> >
> > Try ipa-replica-manage clean-dangling-ruv
> >
> > and/or ipa-replica-manage clean-ruv <replica id>
>
> I did the clean-dangling-ruv and it got me to this point. When I try to
> clean-ruv one of these IDs:
>
> [root@ipa2c7 ~]# ipa-replica-manage clean-ruv 13
> Directory Manager password:
>
> unable to decode: {replica 13} 60b907570001000d0000 60b907570001000d0000
> unable to decode: {replica 14} 60b923030002000e0000 60b923030002000e0000
> unable to decode: {replica 21} 60cb27ed000600150000 60cb27ed000600150000
> unable to decode: {replica 24} 60cc5b11000400180000 60cc5b11000400180000
> unable to decode: {replica 17} 60be13a5000000110000 60be13c9000700110000
> unable to decode: {replica 18} 60bf4aec000000120000 60c07065000200120000
> unable to decode: {replica 5}
> Replica ID 13 not found
> [root@ipa2c7 ~]#
>
> And it does the same for each.
ipa-replica-install (from a file) fails at LDAP each time without exception and
I'm at a loss. I assume this is the local LDAP (it's up and running, as is the
one on the master). The session running the install shows this:
[28/42]: ignore time skew for initial replication
[29/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 14 seconds elapsed
[ldap://ipa2c7.our.net:389] reports: Update failed! Status: [Error (-1) - LDAP
error: Can't contact LDAP server]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR Failed to start replication
ipapython.admintool: ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
While /var/log/dirsrv/slapd-OUR-NET/errors shows:
[21/Jun/2021:16:09:27.828454697 +0000] - NOTICE - ldbm_back_start - found
3880256k physical memory
[21/Jun/2021:16:09:27.828686874 +0000] - NOTICE - ldbm_back_start - found
3217604k available
[21/Jun/2021:16:09:27.828889226 +0000] - NOTICE - ldbm_back_start - cache
autosizing: db cache: 97006k
[21/Jun/2021:16:09:27.829111098 +0000] - NOTICE - ldbm_back_start - cache
autosizing: userRoot entry cache (1 total): 262144k
[21/Jun/2021:16:09:27.830332460 +0000] - NOTICE - ldbm_back_start - cache
autosizing: userRoot dn cache (1 total): 65536k
[21/Jun/2021:16:09:27.830869767 +0000] - NOTICE - ldbm_back_start - total cache
size: 415011962 B;
[21/Jun/2021:16:09:27.966802789 +0000] - INFO - slapd_daemon - slapd started.
Listening on All Interfaces port 389 for LDAP requests
[21/Jun/2021:16:09:27.967189984 +0000] - INFO - slapd_daemon - Listening on
/var/run/slapd-OUR-NET.socket for LDAPI requests
[21/Jun/2021:16:09:28.106773443 +0000] - ERR - NSMMReplicationPlugin -
acquire_replica - agmt="cn=meToipa2c7.our.net" (ipa2c7:389): Unable to acquire
replica: permission denied. The bind dn "" does not have permission to supply
replication updates to the replica. Will retry later.
[21/Jun/2021:16:09:28.119010503 +0000] - ERR - NSMMReplicationPlugin -
acquire_replica - agmt="cn=meToipa2c7.our.net" (ipa2c7:389): Unable to acquire
replica: permission denied. The bind dn "" does not have permission to supply
replication updates to the replica. Will retry later.
[21/Jun/2021:16:09:31.136160660 +0000] - WARN - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meToipa2c7.our.net" (ipa2c7:389): The remote replica
has a different database generation ID than the local database. You may have
to reinitialize the remote replica, or the local replica.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
