Nicholas Cross via FreeIPA-users wrote: > Tested this again making sure that dirsrv is not running and the replica > record is back. > > I am obviously doing something wrong. My steps are below. I appreciate your > time on this. > > > > # > # check dirsrv is currently running > # > [root@ipa006 ~]# ps aux | grep dirsrv > dirsrv 3221639 31.4 5.4 2418488 883856 ? Ssl Apr24 322:04 > /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-AD-companyx-FM -i > /run/dirsrv/slapd-AD-companyx-FM.pid > root 3281205 0.0 0.0 6412 2204 pts/2 S+ 09:11 0:00 grep > --color=auto dirsrv > > # > # shutdown dirsrv > # > [root@ipa006 ~]# time systemctl stop [email protected] > > real 10m0.130s > user 0m0.009s > sys 0m0.012s > > # > # check dirsrv is not running 1 > # > [root@ipa006 ~]# ps aux | grep dirsrv > root 3282962 0.0 0.0 6412 2244 pts/2 S+ 09:47 0:00 grep > --color=auto dirsrv > > # > # check dirsrv is not running 2 > # > [root@ipa006 slapd-AD-companyx-FM]# ipactl status > Directory Service: STOPPED > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > 1 service(s) are not running > > # > # go to right folder > # > [root@ipa006 ~]# cd /etc/dirsrv/slapd-AD-companyx-FM/ > > > # > # make a backup just incase > # > [root@ipa006 slapd-AD-companyx-FM]# cp dse.ldif dse.ldif.nickx-25apr23 > > # > # edit ldif > # > [root@ipa006 slapd-AD-companyx-FM]# vi dse.ldif > > > # > # remove this record. Hoping its the right thing to do. > # > dn: > cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi > ce\2Cdc\3Dfm,cn=mapping tree,cn=config > objectClass: nsds5replicationagreement > objectClass: ipaReplTopoManagedAgreement > objectClass: top > cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm > nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm > nsDS5ReplicaPort: 389 > nsds5replicaTimeout: 300 > nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm > description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm > ipaReplTopoManagedAgreementState: managed agreement - generated by topology pl > ugin > nsDS5ReplicaTransportInfo: LDAP > nsDS5ReplicaBindMethod: SASL/GSSAPI > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in > ternalModifyTimestamp > nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts > uccessfulauth krblastfailedauth krbloginfailedcount > creatorsName: cn=IPA Topology Configuration,cn=plugins,cn=config > modifiersName: cn=IPA Topology Configuration,cn=plugins,cn=config > createTimestamp: 20230425095140Z > modifyTimestamp: 20230425095140Z > > > # > # check no records exist in dse.ldif > # > [root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif > [root@ipa006 slapd-AD-companyx-FM]# > > [root@ipa006 slapd-AD-companyx-FM]# time systemctl start > [email protected] > > real 0m12.343s > user 0m0.006s > sys 0m0.007s > > # > # Look in logs > # > Apr 25 09:51:51 ipa006.ad.companyx.fm ns-slapd[3283119]: > [25/Apr/2023:09:51:51.484197325 +0000] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - > agmt="cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm" > (bad_serverdc:389) - Replication bind with GSSAPI auth failed: LDAP error -1 > (Can't contact LDAP server) () > > # > # check dse.ldif again - find entry is back ! > # > [root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif > dn: > cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi > cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm > nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm > description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm > > > # > # scratch head and ponder life, the universe and everything > #
I have a guess what is happening. The topology is also stored within IPA itself. I wonder if this is self-healing. I assume you've ensure that the bad server is not anywhere else inside of IPA? ipa server-del bad_server? Does its host entry exist? ipa-replica-manage list -v `hostname` on the server the agreement exists? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
