[Freeipa-users] ERR - dna-plugin - dna_request_range: Unable to retrieve replica bind credentials.

[Michal Konecny via FreeIPA-users]

Hi everyone,

I recently tried to redeploy Fedora ipa staging replicas ipa02 and 
ipa03. It finished successfully without any errors. Later I tried to add 
a new group which ended up with

```
ipa: ERROR: Operations error: Allocation of a new value for range 
cn=posix ids,cn=distributed numeric assignment 
plugin,cn=plugins,cn=config failed! Unable to proceed.
```

So I continued with fixing the DNA ranges for ipa02.stg and ipa03.stg.

```
[root@ipa01 ~][STG]# ipa-replica-manage dnarange-show
ipa01.stg.iad2.fedoraproject.org: 162861501-162862500 
ipa02.stg.iad2.fedoraproject.org: 162859501-162860000
ipa03.stg.iad2.fedoraproject.org: 162860001-162861000
```

But the user still can't be created with the same issue and in the 
`/var/log/dirsrv/slapd-STG-FEDORAPROJECT-ORG/errors` I found this:

```
[17/Oct/2024:13:24:53.387189861 +0000] - ERR - dna-plugin - 
dna_get_remote_config_info - Using LDAP protocol, but the non-secure 
port is not defined.
[17/Oct/2024:13:24:53.387866118 +0000] - ERR - dna-plugin - 
dna_request_range: Unable to retrieve replica bind credentials.
[17/Oct/2024:13:24:59.981251454 +0000] - ERR - dna-plugin - 
_dna_pre_op_add - Failed to allocate a new ID 1
[17/Oct/2024:13:24:59.983529484 +0000] - ERR - 
agmt="cn=meToipa02.stg.iad2.fedoraproject.org" (ipa02:389) - 
clcache_load_buffer - Can't locate CSN 67110c31000100300000 in the 
changelog (DB rc=-12797). If replication stops, the consumer may need to 
be reinitialized.
[17/Oct/2024:13:24:59.984077706 +0000] - ERR - 
agmt="cn=meToipa03.stg.iad2.fedoraproject.org" (ipa03:389) - 
clcache_load_buffer - Can't locate CSN 67110c31000100300000 in the 
changelog (DB rc=-12797). If replication stops, the consumer may need to 
be reinitialized.
[17/Oct/2024:13:24:59.984613345 +0000] - ERR - ipa_sidgen_add_post_op - 
[file ipa_sidgen.c, line 128]: Missing target entry.
```

I did `ipa-manage-replica re-initializaze 
--from=ipa01.stg.iad2.fedoraproject.org` on both ipa02 and ipa03, but 
the issue is still there when trying to add new group.

I'm not sure what to try next. Could somebody help me with it?

Michal

P.S.: The playbook that is deploying the IPA in Fedora - 
https://pagure.io/fedora-infra/ansible/blob/main/f/roles/ipa/server

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue