Hi, On Thu, Feb 15, 2024 at 3:50 PM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> The replication step fails while installing a new ipa replica server. > > Some facts: > > * Both servers running version 4.9.12. > * Both servers running RHEL 8.9 > * Master located in Sweden and replica located in USA. > * Actual domain has been substituted with "example.com". > > Some logs: > > = replica= > > replica# ipa-replica-install --verbose --setup-dns --forwarder 10.0.2.200 > --forwarder 10.0.2.201 --forwarder 10.0.2.202 --setup-ca > ... > Created connection context.ldap2_140175491229624 > Fetching nsDS5ReplicaId from master [attempt 1/5] > retrieving schema for SchemaCache url=ldap:// > se-rhidm02x.se.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject > object at 0x7f7d2304e278> > Successfully updated nsDS5ReplicaId. > Add or update replica config > cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config > Added replica config > cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config > update_entry modlist [(0, 'nsDS5ReplicaBindDN', [b'cn=ldap/ > se-rhidm02x.se.example....@lnx.example.com,cn=config'])] > Add or update replica config > cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config > No update to cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping > tree,cn=config necessary > The replica creates an entry on the master cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config that should contain nsDS5ReplicaId, nsDS5ReplicaBindDN: cn=replication manager,cn=config and nsDS5ReplicaBindDNGroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=ipa,dc=test Since there is a message "No update to ... necessary, it looks like the master already knows about this replica, maybe it is not the first time you try to add it? > Waiting up to 300 seconds for replication (ldap:// > se-rhidm02x.se.example.com:389) > cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping > tree,cn=config (objectclass=*) > Entry found [LDAPEntry(ipapython.dn.DN('cn= > meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping > tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'] > , 'cn': [b'meTousidc1-rhidm01x.idc1.us.example.com'], 'nsDS5ReplicaHost': > [b'usidc1-rhidm01x.idc1.us.example.com'], 'nsDS5ReplicaPort': [b'389'], > 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=lnx,d > c=example,dc=com'], 'description': [b'me to > usidc1-rhidm01x.idc1.us.example.com'], 'nsDS5ReplicatedAttributeList': > [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn > krblastsuccessfulauth krblastfaile > dauth krbloginfailedcount passwordgraceusertime'], > 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': > [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName > modifyTimestamp internalMo > difiersName internalModifyTimestamp'], > 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount > passwordgraceusertime'], 'nsds > 5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': > [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], > 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateSt > atus': [b'Error (-2) Problem connecting to replica - LDAP error: Local > error (connection error)'], 'nsds5replicaLastUpdateStatusJSON': > [b'{"state": "red", "ldap_rc": "-2", "ldap_rc_text": "Local error", " > repl_rc": "16", "repl_rc_text": "connection error", "date": > "2024-02-15T14:35:36Z", "message": "Error (-2) Problem connecting to > replica - LDAP error: Local error (connection error)"}'], 'nsds5replicaUpda > teInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': > [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] > The replica starts replication by setting nsds5BeginReplicaRefresh=start on the master (entry cn=meToreplica,...) and reads the entry to check the replication status. This message *"Error (-2) Problem connecting to replica - LDAP error: Local error (connection error)"* indicates an issue when the master tries to communicate with the replica. You may find corresponding logs in the master's 389ds error log and maybe a failed connection in the replica's 389ds access log. Waiting up to 300 seconds for replication > (ldapi://%2Frun%2Fslapd-LNX-EXAMPLE-COM.socket) cn= > meTose-rhidm02x.se.example.com,cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping > tree,cn=config (objectclass=*) > Entry found > [LDAPEntry(ipapython.dn.DN('cn=meTose-rhidm02x.se.example.com,cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping > tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'], > 'cn': [ > b'meTose-rhidm02x.se.example.com'], 'nsDS5ReplicaHost': [b' > se-rhidm02x.se.example.com'], 'nsDS5ReplicaPort': [b'389'], > 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': > [b'dc=lnx,dc=example,dc=com'], 'descripti > on': [b'me to se-rhidm02x.se.example.com'], > 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof > idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth > krbloginfailedcount passwordgr > aceusertime'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], > 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': > [b'modifiersName modifyTimestamp internalModifiersName > internalModifyTimestamp' > ], 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > passwordgraceusertime'], 'nsds5replicareapactive': [b'0'], 'nsds5r > eplicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': > [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], > 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication s > essions started since server startup'], > 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", > "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica > acquired", "date": "20 > 24-02-15T14:35:28Z", "message": "Error (0) No replication sessions started > since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], > 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5re > plicaLastInitEnd': [b'19700101000000Z']})] > Starting replication, please wait until this has completed. > Update in progress, 15 seconds elapsed > [ldap://se-rhidm02x.se.example.com:389] reports: Update failed! Status: > [Error (-2) - LDAP error: Local error - no response received] > > replica# cat /var/log/dirsrv/slapd-LNX-EXAMPLE-COM/errors > ... > [15/Feb/2024:09:35:58.128874085 -0500] - WARN - NSMMReplicationPlugin - > repl5_inc_run - agmt="cn=meTose-rhidm02x.se.example.com" > (se-rhidm02x:389): The remote replica has a different database generation > ID than the local database. You may have to reinitialize the remote > replica, or the local replica. > ... > > replica# cat /var/log/dirsrv/slapd-LNX-EXAMPLE-COM/access > ... > [15/Feb/2024:09:35:28.821998361 -0500] conn=6 fd=119 slot=119 connection > from 10.0.13.145 to 192.168.224.21 > [15/Feb/2024:09:35:28.827100928 -0500] conn=6 op=0 UNBIND > [15/Feb/2024:09:35:28.827120206 -0500] conn=6 op=0 fd=119 closed error - U1 > ... > > = master = > > master# cat /var/log/dirsrv/slapd-LNX-EXAMPLE-COM/access > ... > [15/Feb/2024:15:35:44.803292478 +0100] conn=37567 op=31 SRCH base="cn= > meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping > tree,cn=config" scope=0 filter="(objectC > lass=*)" attrs="nsds5BeginReplicaRefresh nsds5replicaLastInitStart cn > nsds5replicaLastInitStatusJSON nsds5replicaLastInitEnd > nsds5replicaUpdateInProgress nsds5replicaLastInitStatus" > [15/Feb/2024:15:35:44.803737834 +0100] conn=37567 op=31 RESULT err=0 > tag=101 nentries=1 wtime=0.000219465 optime=0.000451462 etime=0.000669200 > [15/Feb/2024:15:35:45.170456864 +0100] conn=37383 op=16 UNBIND > [15/Feb/2024:15:35:45.170486056 +0100] conn=37383 op=16 fd=273 closed > error - U1 > ... > > master# cat /var/log/dirsrv/slapd-LNX-EXAMPLE-COM/errors > ... > [15/Feb/2024:15:35:37.160764934 +0100] - WARN - NSMMReplicationPlugin - > repl5_tot_run - Unable to acquire replica for total update, error: -2, > retrying in 1 seconds. > [15/Feb/2024:15:35:38.274695202 +0100] - WARN - NSMMReplicationPlugin - > repl5_tot_run - Unable to acquire replica for total update, error: -2, > retrying in 2 seconds. > [15/Feb/2024:15:35:40.388281036 +0100] - WARN - NSMMReplicationPlugin - > repl5_tot_run - Unable to acquire replica for total update, error: -2, > retrying in 3 seconds. > [15/Feb/2024:15:35:43.503252882 +0100] - WARN - NSMMReplicationPlugin - > repl5_tot_run - Unable to acquire replica for total update, error: -2, > retrying in 4 seconds. > [15/Feb/2024:15:35:47.618537566 +0100] - WARN - NSMMReplicationPlugin - > repl5_tot_run - Unable to acquire replica for total update, error: -2, > retrying in 5 seconds. > ... > Is there any log right before that one which would indicate a bind issue from master to replica? You can re-try a clean install: - on the replica, ipa-server-install --uninstall -U; kdestroy -A - on the master, ipa server-del <replica fqdn> - on the replica, ipa-replica-install <your options> flo > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue