For the previous issue, I was at a loss and took a risky action by executing the command "ipa-replica-manage re-initialize --from xx". However, there are issues with permission authentication between the freeipa4.8 versions. Since freeipa4.8 is currently mainly designed for client-side authentication with the kdc, it is very important and cannot perform the ipa-replica-manage re-initialize operation. What should I do to fix this permission issue? They were previously able to authenticate each other. However, I'm not sure if this was affected by the changes made there.
root@fs-hiido-kerberos-server03:/home/liangrui06# ldapsearch -LLL -x -H ldap://localhost:389 -D "cn=Directory Manager" -w $pass -b "cn=replica,cn=dc\3Dxx\2Cdc\3Dcom,cn=mapping tree,cn=config" "(objectClass=nsds5ReplicationAgreement)" cn nsDS5ReplicaHost nsds5replicaLastUpdateStatus dn: cn=fs-hiido-kerberos-server03.hiido.host.xx.com-to-fs-hiido-kerberos -server04.hiido.host.xx.com,cn=replica,cn=dc\3Dxx\2Cdc\3Dcom,cn=m apping tree,cn=config cn: fs-hiido-kerberos-server03.hiido.host.xx.com-to-fs-hiido-kerberos-se rver04.hiido.host.xx.com nsDS5ReplicaHost: fs-hiido-kerberos-server04.hiido.host.xx.com nsds5replicaLastUpdateStatus: Error (1) Can't acquire busy replica (Unable to acquire replica: the replica is currently being updated by another supplier.) dn: cn=meTofs-hiido-kerveros-test08.hiido.host.xx.com,cn=replica,cn=dc\3 Dxx\2Cdc\3Dcom,cn=mapping tree,cn=config cn: meTofs-hiido-kerveros-test08.hiido.host.xx.com nsDS5ReplicaHost: fs-hiido-kerveros-test08.hiido.host.xx.com nsds5replicaLastUpdateStatus: Error (3) Replication error acquiring replica: U nable to acquire replica: permission denied. The bind dn does not have permis sion to supply replication updates to the replica. Will retry later. (permiss ion denied) root@fs-hiido-kerveros-test08:~# ldapsearch -LLL -x -H ldap://localhost:389 -D "cn=Directory Manager" -w $pass -b "cn=replica,cn=dc\3Dxx\2Cdc\3Dcom,cn=mapping tree,cn=config" "(objectClass=nsds5ReplicationAgreement)" cn nsDS5ReplicaHost nsds5replicaLastUpdateStatus dn: cn=fs-hiido-kerveros-test08.hiido.host.xx.com-to-fs-hiido-ipa-65-155 .hiido.host.xx.com,cn=replica,cn=dc\3Dxx\2Cdc\3Dcom,cn=mapping tr ee,cn=config cn: fs-hiido-kerveros-test08.hiido.host.xx.com-to-fs-hiido-ipa-65-155.hi ido.host.xx.com nsDS5ReplicaHost: fs-hiido-ipa-65-155.hiido.host.xx.com nsds5replicaLastUpdateStatus: Error (0) Replica acquired successfully: Increme ntal update succeeded dn: cn=fs-hiido-kerveros-test08.hiido.host.xx.com-to-fs-hiido-kerberos-2 1-117-149.hiido.host.xx.com,cn=replica,cn=dc\3Dxx\2Cdc\3Dcom,cn=m apping tree,cn=config cn: fs-hiido-kerveros-test08.hiido.host.xx.com-to-fs-hiido-kerberos-21-1 17-149.hiido.host.xx.com nsDS5ReplicaHost: fs-hiido-kerberos-21-117-149.hiido.host.xx.com nsds5replicaLastUpdateStatus: Error (0) Replica acquired successfully: Increme ntal update succeeded dn: cn=meTofs-hiido-kerberos-server02.hiido.host.xx.com,cn=replica,cn=dc \3Dxx\2Cdc\3Dcom,cn=mapping tree,cn=config cn: meTofs-hiido-kerberos-server02.hiido.host.xx.com nsDS5ReplicaHost: fs-hiido-kerberos-server02.hiido.host.xx.com nsds5replicaLastUpdateStatus: Error (-2) Problem connecting to replica - LDAP error: Local error (connection error) dn: cn=meTofs-hiido-kerberos-server03.hiido.host.xx.com,cn=replica,cn=dc \3Dxx\2Cdc\3Dcom,cn=mapping tree,cn=config cn: meTofs-hiido-kerberos-server03.hiido.host.xx.com nsDS5ReplicaHost: fs-hiido-kerberos-server03.hiido.host.xx.com nsds5replicaLastUpdateStatus: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) fs-hiido-kerberos-server03 ->meTofs-hiido-kerveros-test08.hiido.host.xx.com What kind of permission is lacking between them? root@fs-hiido-kerveros-test08:/var/log/dirsrv/slapd-YYDEVOPS-COM# tailf errors [29/Jan/2026:15:04:49.513109345 +0800] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=7195 op=90315 replica="dc=xx,dc=com": Unable to acquire replica: error: permission denied [29/Jan/2026:15:04:52.509637825 +0800] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=7195 op=90317 replica="dc=xx,dc=com": Unable to acquire replica: error: permission denied [29/Jan/2026:15:04:55.827408548 +0800] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=7195 op=90318 replica="dc=xx,dc=com": Unable to acquire replica: error: permission denied -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
