Hi Mark,
thanks for the quick reply.
Server-B has the following in the access log (twice, actually):
```
[06/Jun/2025:14:55:33.573567003 +0000] conn=8984 fd=372 slot=372 connection
from 192.168.12.58 to 192.168.13.128
[06/Jun/2025:14:55:33.613280772 +0000] conn=8984 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[06/Jun/2025:14:55:33.614444924 +0000] conn=8984 op=0 RESULT err=49 tag=97
nentries=0 wtime=0.000406209 optime=0.001176425 etime=0.001580230 - SASL(-13):
authentication failure: GSSAPI Failure: gss_accept_sec_context
[06/Jun/2025:14:55:33.696712718 +0000] conn=8984 op=1 UNBIND
[06/Jun/2025:14:55:33.696753716 +0000] conn=8984 op=1 fd=372 Disconnect -
Cleanly Closed Connection - U1
```
I don't fully understand why it's trying GSSAPI after I entered the directory
manager password. I'd assume it'd use simple bind.
In the security log there's the following, nothing about the failed gssapi bind.
```
{ "date": "[06\/Jun\/2025:14:55:00.776221689 +0000] ", "utc_time":
"1749221700.776221689", "event": "BIND_SUCCESS", "dn": "cn=directory manager",
"bind_method": "SIMPLE", "root_dn": true, "client_ip": "192.168.12.58",
"server_ip": "192.168.13.128", "ldap_version": 3, "conn_id": 8983, "op_id": 0,
"msg": "" }
```
I'm about to leave the office for a long weekend, so I probably won't respond
again before Tuesday.
Peter
________________________________________
From: Mark Reynolds <marey...@redhat.com>
Sent: Friday, 6 June 2025 15:26
To: FreeIPA users list
Cc: Kroon PC, Peter
Subject: Re: [Freeipa-users] Replication issues
[You don't often get email from marey...@redhat.com. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
Hi Peter,
So the credentials the replication agreement is using are not valid (for
whatever reason). Please check the directory server access log for
"err=49" and you should see the bind DN and more details on why the
authentication failed.
HTH,
Mark
On 6/6/25 6:56 AM, Kroon PC, Peter via FreeIPA-users wrote:
> Hello world,
>
> I have 3 IPA servers that are supposed to all replicate with each other. For
> one server this stopped working. On all servers I have ipa-server
> 4.12.2-14.el9_6 on Rocky Linux 9.6.
> I'll call my servers A, B, and C. Server A cannot replicate with neither
> server B nor C. B and C can replicate eachother without issues. My first
> suspicion was a firewall, but I've already confirmed that that's not the
> issue.
> Here's the sanitized CLI outputs, all from server A:
> ```
> $ ipa-healthcheck
> {
> "source": "ipahealthcheck.ds.replication",
> "check": "ReplicationCheck",
> "result": "CRITICAL",
> "uuid": "9c96a61a-d917-44de-907a-d5c7a4df667e",
> "when": "20250606095130Z",
> "duration": "1.072988",
> "kw": {
> "key": "DSREPLLE0001",
> "items": [
> "Replication",
> "Agreement"
> ],
> "msg": "The replication agreement
> (server-A.example.com-to-server-C.example.com) under \"dc=example,dc=com\" is
> not in synchronization."
> }
> },
> {
> "source": "ipahealthcheck.ds.replication",
> "check": "ReplicationCheck",
> "result": "CRITICAL",
> "uuid": "6c29d38e-a216-414e-b47a-d9302f38da67",
> "when": "20250606095131Z",
> "duration": "1.073047",
> "kw": {
> "key": "DSREPLLE0001",
> "items": [
> "Replication",
> "Agreement"
> ],
> "msg": "The replication agreement (metoserver-B.example.com) under
> \"dc=example,dc=com\" is not in synchronization."
> }
> },
> {
> "source": "ipahealthcheck.ds.replication",
> "check": "ReplicationCheck",
> "result": "CRITICAL",
> "uuid": "445f686b-27d9-47e0-aaa8-bb8d5f3416d4",
> "when": "20250606095131Z",
> "duration": "1.073054",
> "kw": {
> "key": "DSREPLLE0001",
> "items": [
> "Replication",
> "Agreement"
> ],
> "msg": "The replication agreement (catoserver-B.example.com) under
> \"o=ipaca\" is not in synchronization."
> }
> },
> {
> "source": "ipahealthcheck.ds.replication",
> "check": "ReplicationCheck",
> "result": "CRITICAL",
> "uuid": "bb6fb4b1-54fc-45dc-bb33-c8c3562f5765",
> "when": "20250606095131Z",
> "duration": "1.073058",
> "kw": {
> "key": "DSREPLLE0001",
> "items": [
> "Replication",
> "Agreement"
> ],
> "msg": "The replication agreement
> (server-A.example.com-to-server-C.example.com) under \"o=ipaca\" is not in
> synchronization."
> }
> }
> ```
> ```
> $ ipa-replica-manage list
> ipa-replica-manage list
> Directory Manager password:
>
> server-A.example.com: master
> server-B.example.com: master
> server-C.example.com: master
> ```
> Ok, things are broken, let's try force-sync.
> ```
> $ ipa-replica-manage force-sync --from server-B.example.com --verbose --debug
> <snip imports>
> ipa: DEBUG: found 1 A records for server-A.example.com.: 192.168.12.58
> ipa: DEBUG: The DNS response does not contain an answer to the question:
> server-A.example.com. IN AAAA
> Directory Manager password:
>
> ipa: DEBUG: Created connection context.ldap2_139632322538896
> ipa: DEBUG: found 1 A records for server-A.example.com.: 192.168.12.58
> ipa: DEBUG: The DNS response does not contain an answer to the question:
> server-A.example.com. IN AAAA
> ipa: DEBUG: found 1 A records for server-B.example.com.: 192.168.13.128
> ipa: DEBUG: The DNS response does not contain an answer to the question:
> server-B.example.com. IN AAAA
> ipa: DEBUG: retrieving schema for SchemaCache
> url=ldaps://server-A.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject
> object at 0x7efeaefd2460>
> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
> ipa: DEBUG: retrieving schema for SchemaCache
> url=ldapi://%2Frun%2Fslapd-BIN-BIOINF-NL.socket
> conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7efeaefd2610>
> ipa: DEBUG: retrieving schema for SchemaCache
> url=ldaps://server-B.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject
> object at 0x7efeae1ee1f0>
> ipa: INFO: Setting agreement
> cn=meToserver-A.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
> tree,cn=config schedule to 2358-2359 0 to force synch
> ipa: INFO: Deleting schedule 2358-2359 0 from agreement
> cn=meToserver-A.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
> tree,cn=config
> ipa: INFO: Replication Update in progress: False: status: Error (49) Problem
> connecting to replica - LDAP error: Invalid credentials (connection error):
> start: 19700101000000: end: 19700101000000
> ipa: DEBUG: Destroyed connection context.ldap2_139632322538896
> ```
> Maybe I can re-initialize?
> ```
> $ ipa-replica-manage re-initialize --from server-B.example.com --verbose
> --debug
> <snip import>
> <snip DNS responses, same as above>
> Directory Manager password:
> ipa: DEBUG: Created connection context.ldap2_140512488991280
> ipa: DEBUG: retrieving schema for SchemaCache
> url=ldaps://server-A.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject
> object at 0x7fcb9c310dc0>
> ipa: DEBUG: retrieving schema for SchemaCache
> url=ldaps://server-B.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject
> object at 0x7fcb9c1e10a0>
> ipa: INFO: Setting agreement
> cn=meToserver-A.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
> tree,cn=config schedule to 2358-2359 0 to force synch
> ipa: INFO: Deleting schedule 2358-2359 0 from agreement
> cn=meToserver-A.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
> tree,cn=config
> Update in progress, 15 seconds elapsed
> [ldaps://server-B.example.com:636] reports: Update failed! Status: [Error
> (49) - LDAP error: Invalid credentials - no response received]
> ipa: DEBUG: Destroyed connection context.ldap2_140512488991280
> ```
> Is it a firewall or password issue? No:
> ```
> $ ldapwhoami -H ldaps://server-B.example.com -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn: cn=directory manager
> ```
> From server-B:
> ```
> server-B $ ldapwhoami -H ldaps://server-A.example.com -D 'cn=directory
> manager' -W
> Enter LDAP Password:
> dn: cn=directory manager
> ```
> I also checked that `ipa-replica-manage list-ruv` produces the same output
> for all 3 servers.
> Does anyone have any more ideas I could explore?
>
> Many thanks in advance!
> Peter
--
Identity Management Development Team
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
