Ricardo Mendes via FreeIPA-users wrote: > Hi Rob thank you for your replies. > > So I tried to add the replica again in order to get the 389-ds logs. > > Regarding the ipa versions: > > [root@ns1 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server > ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 > ipa-client-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 > 389-ds-base-1.4.3.23-12.module+el8.5.0+13329+4096c77a.x86_64 > pki-ca-10.11.2-4.module+el8.5.0+13827+5b1d191d.noarch > krb5-server-1.18.2-14.el8.x86_64 > > [root@ns2 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server > ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 > ipa-client-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 > 389-ds-base-1.4.3.23-12.module+el8.5.0+13329+4096c77a.x86_64 > pki-ca-10.11.2-2.module+el8.5.0+12735+8eb38ccc.noarch > krb5-server-1.18.2-14.el8.x86_64 > > [root@ns3 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server > ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 > ipa-client-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 > 389-ds-base-1.4.3.23-12.module+el8.5.0+13329+4096c77a.x86_64 > pki-ca-10.11.2-4.module+el8.5.0+13827+5b1d191d.noarch > krb5-server-1.18.2-14.el8.x86_64 > > > 389-ds log "errors"- on the ns3 server I get these: > ... > [03/Mar/2022:16:48:00.624581992 +0000] - WARN - NSACLPlugin - acl_parse - The > ACL target cn=vaults,cn=kra,dc=dom0,dc=io does not exist > [03/Mar/2022:16:48:00.648556508 +0000] - WARN - NSACLPlugin - acl_parse - The > ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dom0,dc=io does not exist > [03/Mar/2022:16:48:00.649871391 +0000] - WARN - NSACLPlugin - acl_parse - The > ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dom0,dc=io does not exist > [03/Mar/2022:16:48:00.812093673 +0000] - WARN - NSACLPlugin - acl_parse - The > ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist > [03/Mar/2022:16:48:00.827192127 +0000] - ERR - cos-plugin - cos_dn_defs_cb - > Skipping CoS Definition cn=Password Policy,cn=accounts,dc=dom0,dc=io--no CoS > Templates found, which should be added before the CoS Definition. > [03/Mar/2022:16:48:00.900316830 +0000] - ERR - set_krb5_creds - Could not get > initial credentials for principal [ldap/[email protected]] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) > [03/Mar/2022:16:48:00.919565091 +0000] - ERR - schema-compat-plugin - > schema-compat-plugin tree scan will start in about 5 seconds! > [03/Mar/2022:16:48:00.954303578 +0000] - INFO - slapd_daemon - slapd started. > Listening on All Interfaces port 389 for LDAP requests > [03/Mar/2022:16:48:00.956458369 +0000] - INFO - slapd_daemon - Listening on > All Interfaces port 636 for LDAPS requests > [03/Mar/2022:16:48:00.957156367 +0000] - INFO - slapd_daemon - Listening on > /var/run/slapd-DOM0-IO.socket for LDAPI requests > [03/Mar/2022:16:48:01.399627603 +0000] - ERR - dna-plugin - > dna_get_remote_config_info - Using LDAP protocol, but the non-secure port is > not defined. > [03/Mar/2022:16:48:01.400766987 +0000] - ERR - dna-plugin - > dna_request_range: Unable to retrieve replica bind credentials. > [03/Mar/2022:16:48:05.945122138 +0000] - ERR - schema-compat-plugin - > warning: no entries set up under cn=computers, cn=compat,dc=dom0,dc=io > [03/Mar/2022:16:48:05.947292612 +0000] - ERR - schema-compat-plugin - > Finished plugin initialization. > [03/Mar/2022:16:50:11.843513650 +0000] - ERR - dna-plugin - _dna_pre_op_add - > No more values available!! > [03/Mar/2022:16:50:11.870225283 +0000] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 128]: Missing target entry.
Looking at the 389-ds source it looks like it has determined that the range has overflowed and so it fails. This despite that your range is 99% unused. > > And on ns1 (the master to which ns3 is connected to): > ... > [03/Mar/2022:16:46:30.764506978 +0000] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meTons3.dom0.io" (ns3:389): Replication bind > with GSSAPI auth resumed > [03/Mar/2022:16:47:02.271983007 +0000] - WARN - NSMMReplicationPlugin - > acquire_replica - agmt="cn=caTons3.dom0.io" (ns3:389): Unable to receive the > response for a startReplication extended operation to consumer (Can't contact > LDAP server). Will retry later. > [03/Mar/2022:16:47:18.401932405 +0000] - WARN - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meTons3.dom0.io" (ns3:389): Unable to receive the > response for a startReplication extended operation to consumer (Can't contact > LDAP server). Will retry later. > [03/Mar/2022:16:47:33.173387566 +0000] - ERR - > repl_version_plugin_recv_acquire_cb - [file ipa_repl_version.c, line 119]: > Incompatible IPA versions, pausing replication. This server: "20100614120000" > remote server: "(null)". > [03/Mar/2022:16:47:33.665069742 +0000] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meTons3.dom0.io" (ns3:389): Replication bind > with GSSAPI auth resumed > [03/Mar/2022:16:47:37.010415940 +0000] - WARN - content-sync-plugin - > sync_update_persist_betxn_pre_op - DB retried operation targets > "changenumber=4245,cn=changelog" (op=0x7f31a94cc400 idx_pl=1) => op not > changed in PL > [03/Mar/2022:16:47:37.282297165 +0000] - WARN - content-sync-plugin - > sync_update_persist_betxn_pre_op - DB retried operation targets > "changenumber=4253,cn=changelog" (op=0x7f31a94cde00 idx_pl=1) => op not > changed in PL > [03/Mar/2022:16:47:47.542306051 +0000] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=caTons3.dom0.io" (ns3:389): Replication bind > with GSSAPI auth resumed > [03/Mar/2022:16:47:57.596028220 +0000] - WARN - NSMMReplicationPlugin - > acquire_replica - agmt="cn=caTons3.dom0.io" (ns3:389): Unable to receive the > response for a startReplication extended operation to consumer (Can't contact > LDAP server). Will retry later. > [03/Mar/2022:16:48:06.682863336 +0000] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=caTons3.dom0.io" (ns3:389): Replication bind > with GSSAPI auth resumed > > Couldn't find any entries related to "fallback" only those with dna-plugin. > The IdM master only has 3 lines with this timestamp: > [03/Mar/2022:16:47:37.714182360 +0000] - WARN - content-sync-plugin - > sync_update_persist_betxn_pre_op - DB retried operation targets > "changenumber=3560,cn=changelog" (op=0x7f3254f19400 idx_pl=1) => op not > changed in PL > [03/Mar/2022:16:47:37.759767983 +0000] - WARN - content-sync-plugin - > sync_update_persist_betxn_pre_op - DB retried operation targets > "changenumber=3562,cn=changelog" (op=0x7f3254f1da00 idx_pl=1) => op not > changed in PL > [03/Mar/2022:16:47:37.885157628 +0000] - WARN - content-sync-plugin - > sync_update_persist_betxn_pre_op - DB retried operation targets > "changenumber=3566,cn=changelog" (op=0x7f32589b1800 idx_pl=1) => op not > changed in PL > > I find quite awkward the entries saying Incompatible IPA versions, as they > literally have the same version, not only IPA but also distro and updates. > Thank you. It logs that because the remove version was not obtained because no LDAP connection was made. It's a preventative measure in case we make a non-backwards-compatible change to the IPA schema. I don't know if these connection problems are related. Are you using --skip-conncheck with ipa-replica-install? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
