Hi Rob, Thanks for your reply. >what OS release are you using? My master is running in docker container with freeipa-server:centos-7-4.6.8 and replica is freeipa-server:almalinux-8-4.9.12.
>I'd also look in the journal for certmonger to see if it logged additional >info about the request. Here is all I can find in journalctl about that particular request Mar 12 14:48:50 replica.example.com systemd[1]: Started The Apache HTTP Server. Mar 12 14:48:50 replica.example.com httpd[3413]: Server configured, listening on: port 443, port 80 Mar 12 14:48:50 replica.example.com platform-python[299]: GSSAPI client step 1 Mar 12 14:48:50 replica.example.com platform-python[299]: GSSAPI client step 1 Mar 12 14:48:50 replica.example.com platform-python[299]: GSSAPI client step 1 Mar 12 14:48:50 replica.example.com platform-python[299]: GSSAPI client step 2 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[3685]: 2024-03-12 14:48:51 [3685] error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_REQ_SUBJECT" to "O=EXAMPLE.COM,cn=replica.example.com" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_REQ_HOSTNAME" to "replica.example.com" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_REQ_PRINCIPAL" to "krbtgt/[email protected]" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_CSR" to "-----BEGIN CERTIFICATE REQUEST----- Mar 12 14:48:51 replica.example.com certmonger[3686]: MIID3DCCAsQCAQAwQjEZMBcGA1UECgwQRkxPUkEuTFRGUy5UT09MUzElMCMGA1UE Mar 12 14:48:51 replica.example.com certmonger[3686]: AxMcaXBhLXNsYXZlMDEuZmxvcmEubHRmcy50b29sczCCASIwDQYJKoZIhvcNAQEB Mar 12 14:48:51 replica.example.com certmonger[3686]: BQADggEPADCCAQoCggEBAPRUIp5MLhpT5+vBdM3Gxt5IdVBJHlfu6uIfSK3HJcsb Mar 12 14:48:51 replica.example.com certmonger[3686]: rjRdh6jPmo/WTPsnEKVQtBpy6UQVK6CGmjUX3gc+TeZ/XWYFk08Nl+C2QCPYzyp7 Mar 12 14:48:51 replica.example.com certmonger[3686]: 0/RorK2sx0wcUN4LVQTtXalGPpUn+TZgO7w40VqwYRAa/cJt5jGOljE2V7tVpJXF Mar 12 14:48:51 replica.example.com certmonger[3686]: qsE2AaTc+vGl2xwUlgFj0/lAYsJZvv3prnkHk2ZHtuUEhNyc7HfXCjnzkCToj1gm Mar 12 14:48:51 replica.example.com certmonger[3686]: FlQdgGxfmbyAMSWjiz6mRDJq0XJgoAoqSs7u+IOny0v+27jJu2eobPTNPMav2hlo Mar 12 14:48:51 replica.example.com certmonger[3686]: a9bywDusRukfurqNC00i/TH2iuJon1QoOUvPJdrdK70CAwEAAaCCAVMwKwYJKoZI Mar 12 14:48:51 replica.example.com certmonger[3686]: hvcNAQkUMR4eHAAyADAAMgA0ADAAMwAxADIAMQA0ADQAOAA1ADEwggEiBgkqhkiG Mar 12 14:48:51 replica.example.com certmonger[3686]: 9w0BCQ4xggETMIIBDzCBrAYDVR0RBIGkMIGhghxpcGEtc2xhdmUwMS5mbG9yYS5s Mar 12 14:48:51 replica.example.com certmonger[3686]: dGZzLnRvb2xzoDgGCisGAQQBgjcUAgOgKgwoa3JidGd0L0ZMT1JBLkxURlMuVE9P Mar 12 14:48:51 replica.example.com certmonger[3686]: TFNARkxPUkEuTFRGUy5UT09MU6BHBgYrBgEFAgKgPTA7oBIbEEZMT1JBLkxURlMu Mar 12 14:48:51 replica.example.com certmonger[3686]: VE9PTFOhJTAjoAMCAQGhHDAaGwZrcmJ0Z3QbEEZMT1JBLkxURlMuVE9PTFMwDAYD Mar 12 14:48:51 replica.example.com certmonger[3686]: VR0TAQH/BAIwADAdBgNVHQ4EFgQUqt/MlzFeUhqoXqWF/wPkFEQlAQQwMQYJKwYB Mar 12 14:48:51 replica.example.com certmonger[3686]: BAGCNxQCBCQeIgBLAEQAQwBzAF8AUABLAEkATgBJAFQAXwBDAGUAcgB0AHMwDQYJ Mar 12 14:48:51 replica.example.com certmonger[3686]: KoZIhvcNAQELBQADggEBAKjvYfc4LD4+R0ZblIg6COt29K26fNzhC1cj/Nnj76hK Mar 12 14:48:51 replica.example.com certmonger[3686]: ly5i2ITjUnBI1SjvqlV1DqGqAd0TcWaP8DzxTsTbZG47MNg3Mtjx5HjB5uX3XydP Mar 12 14:48:51 replica.example.com certmonger[3686]: 2JEKtWIFTgqB3ZXBBKSAGGwQMYsuMHgfmjb2s3WV4yXooLuv0fTBLMwWnIlT/Pf+ Mar 12 14:48:51 replica.example.com certmonger[3686]: xRuvbREv5t65TEw23/naasR/C0SzxG9LkInJE7WrX7MGqo8SgcUeC/J29jmlSCL/ Mar 12 14:48:51 replica.example.com certmonger[3686]: 9vKEUnIgZkMrqco2KdSgUxMLmqLdfK9t1LpLik8lh1W3WOH7epAz/jmkt7zQqkC8 Mar 12 14:48:51 replica.example.com certmonger[3686]: BHJHpO3WP+MFMJuK1FfW5sMeoEiKulEtGL1NYKnPIZA= Mar 12 14:48:51 replica.example.com certmonger[3686]: -----END CERTIFICATE REQUEST----- Mar 12 14:48:51 replica.example.com certmonger[3686]: " for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_SPKAC" to "MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0VCKeTC4aU+frwXTNxsbeSHVQSR5X7uriH0itxyXLG640XYeoz5qP1kz7JxClULQaculEFSughpo1F94HPk3mf11mBZNPDZfgtkAj2M8qe9P0aKytrMdMHFDeC1UE7V2pRj6VJ/k2YDu8ONFasGEQGv3CbeYxjpYxNle7VaSVxarBNgGk3PrxpdscFJYBY9P5QGLCWb796a55B5NmR7blBITcnOx31wo585Ak6I9YJhZUHYBsX5m8gDElo4s+pkQyatFyYKAKKkrO7viDp8tL/tu4ybtnqGz0zTzGr9oZaGvW8sA7rEbpH7q6jQtNIv0x9oriaJ9UKDlLzyXa3Su9AgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAUrMSI/CB/D2Jx8KIRJORQPt711QUWvURi8MJuQF2VpDxGugKl0Jqbqpl+vgDcrVi8PegIdecCrkXV+Ws0UocMv7ld8zpUAQhLmyqt5QXdoa0UzVqDQQm/TsnspSLK3QKWwscgRsg+8Z737VJp6zh5QrQ+mFbSPPYVOt1LQN6DvTTJ6yqb/Zbk37k1nBm2io1XOD+t9gbHiv/iE9yZXLd44Iscg+gSz9+d4E3gT2wRcfXskiaYd4MOnZDA64OgPNYXgVP99nVsAwjhxtCoe774qHi4920mdzC6XnjrxafPpvBU0o7czyXwAR2biLy9ofgQjn+JAj3Dyg2HvH0LxBo2w==" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_SPKI" to "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9FQinkwuGlPn68F0zcbG3kh1UEkeV+7q4h9IrcclyxuuNF2HqM+aj9ZM+ycQpVC0GnLpRBUroIaaNRfeBz5N5n9dZgWTTw2X4LZAI9jPKnvT9GisrazHTBxQ3gtVBO1dqUY+lSf5NmA7vDjRWrBhEBr9wm3mMY6WMTZXu1WklcWqwTYBpNz68aXbHBSWAWPT+UBiwlm+/emueQeTZke25QSE3Jzsd9cKOfOQJOiPWCYWVB2AbF+ZvIAxJaOLPqZEMmrRcmCgCipKzu74g6fLS/7buMm7Z6hs9M08xq/aGWhr1vLAO6xG6R+6uo0LTSL9MfaK4mifVCg5S88l2t0rvQIDAQAB" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_LOCAL_CA_DIR" to "/var/lib/certmonger/local" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_KEY_TYPE" to "RSA" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_CA_NICKNAME" to "IPA" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Setting "CERTMONGER_CA_PROFILE" to "KDCs_PKINIT_Certs" for child. Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Redirecting stdin to /dev/null, leaving stdout and stderr open for child "/usr/libexec/certmonger/ipa-server-guard". Mar 12 14:48:51 replica.example.com certmonger[3686]: 2024-03-12 14:48:51 [3686] Running enrollment helper "/usr/libexec/certmonger/ipa-server-guard". Mar 12 14:48:51 replica.example.com certmonger[478]: 2024-03-12 14:48:51 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:51 replica.example.com ipa-submit[3687]: JSON-RPC call failed with HTTP status code: 401 Mar 12 14:48:51 replica.example.com ipa-submit[3687]: code = 0, code_text = "No error" Mar 12 14:48:51 replica.example.com ipa-submit[3687]: GSSAPI client step 1 Mar 12 14:48:51 replica.example.com ipa-submit[3687]: GSSAPI client step 1 Mar 12 14:48:51 replica.example.com ipa-submit[3687]: GSSAPI client step 1 Mar 12 14:48:51 replica.example.com ipa-submit[3687]: GSSAPI client step 1 Mar 12 14:48:51 replica.example.com ipa-submit[3687]: GSSAPI client step 2 Mar 12 14:48:52 replica.example.com ipa-submit[3687]: JSON-RPC error: 903: an internal error has occurred Mar 12 14:48:52 replica.example.com certmonger[3686]: Submitting request to "https://replica.example.com/ipa/json";. Mar 12 14:48:52 replica.example.com certmonger[3686]: Submitting request to "https://ipamaster01.EXAMPLE.COM/ipa/json";. Mar 12 14:48:52 replica.example.com certmonger[478]: 2024-03-12 14:48:52 [478] Certificate submission still ongoing. Mar 12 14:48:52 replica.example.com certmonger[478]: 2024-03-12 14:48:52 [478] Certificate submission attempt complete. Mar 12 14:48:52 replica.example.com certmonger[478]: 2024-03-12 14:48:52 [478] Child status = 3. Mar 12 14:48:52 replica.example.com certmonger[478]: 2024-03-12 14:48:52 [478] Child output: Mar 12 14:48:52 replica.example.com certmonger[478]: "Server at https://ipamaster01.EXAMPLE.COM/ipa/json failed request, will retry: 903 (an internal error has occurred). Mar 12 14:48:52 replica.example.com certmonger[478]: " Mar 12 14:48:52 replica.example.com certmonger[478]: 2024-03-12 14:48:52 [478] Server at https://ipamaster01.EXAMPLE.COM/ipa/json failed request, will retry: 903 (an internal error has occurred). Mar 12 14:48:52 replica.example.com certmonger[478]: 2024-03-12 14:48:52 [478] Certificate not (yet?) issued. Mar 12 14:48:52 replica.example.com certmonger[478]: 2024-03-12 14:48:52 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144851 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[3706]: 2024-03-12 14:48:53 [3706] error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] No hooks set for pre-save command. Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com /renew_kdc_cert[3711]: restarting krb5kdc Mar 12 14:48:53 replica.example.com systemd[1]: Stopping Kerberos 5 KDC... Mar 12 14:48:53 replica.example.com systemd[1]: krb5kdc.service: Succeeded. Mar 12 14:48:53 replica.example.com systemd[1]: Stopped Kerberos 5 KDC. Mar 12 14:48:53 replica.example.com systemd[1]: Starting Kerberos 5 KDC... Mar 12 14:48:53 replica.example.com systemd[1]: Started Kerberos 5 KDC. Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com certmonger[3721]: Certificate in file "/var/kerberos/krb5kdc/kdc.crt" issued by CA and saved. Mar 12 14:48:53 replica.example.com certmonger[478]: 2024-03-12 14:48:53 [478] Wrote to /var/lib/certmonger/requests/20240312144853 Mar 12 14:48:53 replica.example.com systemd[1]: Stopping Kerberos 5 KDC... Mar 12 14:48:53 replica.example.com systemd[1]: krb5kdc.service: Succeeded. Mar 12 14:48:53 replica.example.com systemd[1]: Stopped Kerberos 5 KDC. Mar 12 14:48:53 replica.example.com systemd[1]: Starting Kerberos 5 KDC... Mar 12 14:48:53 replica.example.com systemd[1]: Started Kerberos 5 KDC. Mar 12 14:48:53 replica.example.com systemd[1]: Stopping 389 Directory Server EXAMPLE-COM.... Mar 12 14:48:53 replica.example.com ns-slapd[3158]: [12/Mar/2024:14:48:53.972895559 +0000] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 5 max work q size 3 max work q stack size 3 Mar 12 14:48:53 replica.example.com ns-slapd[3158]: [12/Mar/2024:14:48:53.975341242 +0000] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Mar 12 14:48:54 replica.example.com ns-slapd[3158]: [12/Mar/2024:14:48:54.300961794 +0000] - INFO - bdb_pre_close - Waiting for 5 database threads to stop Mar 12 14:48:55 replica.example.com ns-slapd[3158]: [12/Mar/2024:14:48:55.631075995 +0000] - INFO - bdb_pre_close - All database threads now stopped Mar 12 14:48:55 replica.example.com ns-slapd[3158]: [12/Mar/2024:14:48:55.641120041 +0000] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Mar 12 14:48:55 replica.example.com ns-slapd[3158]: [12/Mar/2024:14:48:55.643485203 +0000] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 3 work q stack objects - freed 7 op stack objects Mar 12 14:48:55 replica.example.com ns-slapd[3158]: [12/Mar/2024:14:48:55.644291920 +0000] - INFO - main - slapd stopped. Mar 12 14:48:55 replica.example.com systemd[1]: [email protected]: Succeeded. Mar 12 14:48:55 replica.example.com systemd[1]: Stopped 389 Directory Server EXAMPLE-COM.. Mar 12 14:48:55 replica.example.com systemd[1]: Starting 389 Directory Server EXAMPLE-COM.... Mar 12 14:48:55 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:55.998014766 +0000] - NOTICE - config_set_port - Non-Secure Port Disabled Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.042865581 +0000] - INFO - main - 389-Directory/1.4.3.37 B2024.015.1049 starting up Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.043363575 +0000] - INFO - main - Setting the maximum file descriptor limit to: 1024 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.188563525 +0000] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.190611179 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.194886774 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.197854298 +0000] - NOTICE - ldbm_back_start - found 8147288k physical memory Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.198141008 +0000] - NOTICE - ldbm_back_start - found 6240412k available Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.198374407 +0000] - NOTICE - ldbm_back_start - cache autosizing: db cache: 509205k Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.198594412 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (2 total): 720896k Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.199322666 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (2 total): 131072k Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.199598164 +0000] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (2 total): 720896k Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.199833184 +0000] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (2 total): 131072k Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.200104091 +0000] - NOTICE - ldbm_back_start - total cache size: 2161971609 B; Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.213824215 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.214232545 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.214609076 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.214857069 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.215175624 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.215489664 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.215840203 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.216098774 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.216439062 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.216692141 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.216966987 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.217209064 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.217479985 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.217745656 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.218009822 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.218272664 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.218522586 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.218787101 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.219061832 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.219345409 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.219622472 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.220541390 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=example,dc=com does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.285040894 +0000] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.288001867 +0000] - ERR - dna-plugin - dna_parse_config_entry - Unable to locate shared configuration entry (cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.288295481 +0000] - ERR - dna-plugin - dna_parse_config_entry - Invalid config entry [cn=subordinate ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.311790536 +0000] - INFO - validate_num_config_reservedescriptors - reserve descriptors changed from 64 to 192 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.312109874 +0000] - INFO - connection_table_new - conntablesize:832 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.315247289 +0000] - INFO - slapd_daemon - slapd started. Listening on /run/slapd-EXAMPLE-COM.socket for LDAPI requests Mar 12 14:48:56 replica.example.com systemd[1]: Started 389 Directory Server EXAMPLE-COM.. Mar 12 14:48:56 replica.example.com ns-slapd[3748]: GSSAPI client step 1 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: GSSAPI client step 1 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: GSSAPI client step 1 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: GSSAPI client step 1 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: GSSAPI client step 2 Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.983846414 +0000] - ERR - ipa-topology-plugin - ipa_topo_post_mod - segment to be modified does not exist Mar 12 14:48:56 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:56.988840906 +0000] - ERR - ipa-topology-plugin - ipa_topo_post_mod - segment to be modified does not exist Mar 12 14:48:58 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:58.577334269 +0000] - INFO - bdb_db2index - userRoot: Indexing attribute: ipaidpconfiglink Mar 12 14:48:58 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:58.700532113 +0000] - INFO - bdb_db2index - userRoot: Indexed 1000 entries (24%). Mar 12 14:48:58 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:58.764762073 +0000] - INFO - bdb_db2index - userRoot: Indexed 2000 entries (48%). Mar 12 14:48:58 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:58.803142534 +0000] - INFO - bdb_db2index - userRoot: Indexed 3000 entries (73%). Mar 12 14:48:58 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:58.843639293 +0000] - INFO - bdb_db2index - userRoot: Finished indexing. Mar 12 14:48:59 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:59.617329048 +0000] - ERR - dna-plugin - dna_parse_config_entry - Unable to locate shared configuration entry (cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) Mar 12 14:48:59 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:59.617781616 +0000] - ERR - dna-plugin - dna_parse_config_entry - Invalid config entry [cn=subordinate ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped Mar 12 14:48:59 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:59.728526972 +0000] - INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task starts (filter: "(objectclass=*)") ... Mar 12 14:48:59 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:59.862227190 +0000] - INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task starts (filter: "(objectclass=*)") ... Mar 12 14:48:59 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:59.862621703 +0000] - INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task finished (processed 0 entries in 0 seconds) Mar 12 14:48:59 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:48:59.937766136 +0000] - INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task finished (processed 9 entries in 0 seconds) Mar 12 14:49:10 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:49:10.532865828 +0000] - WARN - NSMMReplicationPlugin - repl5_inc_update_from_op_result - agmt="cn=meToipamaster01.EXAMPLE.COM" (ipamaster01:389): Consumer failed to replay change (uniqueid a6dc7cde-e07f11ee-ba71cdae-2496bee9, CSN 65f06b5f003700200000): Operations error (1). Will retry later. Mar 12 14:49:10 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:49:10.533754246 +0000] - WARN - NSMMReplicationPlugin - repl5_inc_update_from_op_result - agmt="cn=meToipamaster01.EXAMPLE.COM" (ipamaster01:389): Consumer failed to replay change (uniqueid a6dc7cdf-e07f11ee-ba71cdae-2496bee9, CSN 65f06b5f003a00200000): Operations error(1). Will retry later. Mar 12 14:49:10 replica.example.com ns-slapd[3748]: [12/Mar/2024:14:49:10.552875462 +0000] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=meToipamaster01.EXAMPLE.COM" (ipamaster01:389): Unable to send endReplication extended operation (Operations error) >Newer IPA requires that every user have a SID. I'm guessing this is related. I answered no when replica install prompted me to generate SIDs, but I had to use ldapmodify to add RID base numbers to ID ranges on my master. Otherwise the install wouldn't go through. >Did you make any plugin changes? No, I tried to apply a few patches manually (I am reluctant to upgrade master, as it is a single point of failure for our company), but I reverted all changes. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
