On 05/21/2014 01:31 PM, Davis Goodman wrote: > > > > > <http://www.digital-district.ca/> > > On May 21, 2014, at 6:54 , Martin Kosek <[email protected] > <mailto:[email protected]>> wrote: > >> On 05/21/2014 09:12 AM, Davis Goodman wrote: >>> >>> >>> >>> >>> On May 21, 2014, at 2:45 , Martin Kosek <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>>> On 05/21/2014 08:36 AM, Davis Goodman wrote: >>>>> Hi, >>>>> >>>>> Lately I’ve been having issues of replication between my server and my 2 >>>>> replicas. >>>>> >>>>> I decided I was going to delete my 2 replicas and start over keeping my >>>>> master intact. >>>>> >>>>> I wasn`t successfull in getting all 3 servers to replicate to each other. >>>>> ( >>>>> it used to work) >>>>> >>>>> I tried deleting 1 replica after the other one to always keep one of >>>>> the >>>>> two available. >>>>> >>>>> I had to delete manually the replica host on the master with a bunch of >>>>> ldapdelete command which worked fine. >>>>> >>>>> But after many unsuccessful trials of getting everyone to sync I decided >>>>> to >>>>> delete my two replicas. >>>>> >>>>> I went back to my master to use the ldapdelete to remove both host`s >>>>> records so that I could start over. >>>>> >>>>> Unfortunately now I’m getting this error. >>>>> >>>>> ldapdelete -x -D "cn=Directory Manager" -W >>>>> >>>>> cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int >>>>> Enter LDAP Password: >>>>> ldap_delete: Server is unwilling to perform (53) >>>>> additional info: database is read-only >>>>> >>>>> >>>>> >>>>> I’m kinda stuck now with no replicas and no DNS. I could restore the >>>>> backup >>>>> prior to the start of the operation but with a master in read-only mode >>>>> it >>>>> wouldn’t of much help. >>>>> >>>>> Any insights would be more than welcome. >>>>> >>>>> >>>>> Davis >>>> >>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of >>>> an >>>> operation or an upgrade was interrupted and left the database put in read >>>> only >>>> mode? >>>> >>>> You can find out with this ldapsearch: >>>> >>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b >>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base >>>> >>>> Check for nsslapd-readonly, it should be put to "off" in normal operation. >>>> >>>> Martin >>> Ok finally managed to modify the read-only flag. >>> >>> Could prepare my replicas and get them going. >>> >>> Everything seems fine but I’m getting this error while setting up the >>> replicas. Should I be concerned about this one: >>> >>> Update in progress >>> Update in progress >>> Update in progress >>> Update in progress >>> Update in progress >>> Update in progress >>> Update succeeded >>> [23/31]: adding replication acis >>> [24/31]: setting Auto Member configuration >>> [25/31]: enabling S4U2Proxy delegation >>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command >>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H >>> ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y >>> /tmp/tmp4Svn9k' returned non-zero exit status 20 >>> [26/31]: initializing group membership >>> [27/31]: adding master entry >>> [28/31]: configuring Posix uid/gid generation >>> >>> >>> >>> the rest seems to work fine. >> >> You need to check ipareplica-install.log to see the real error. >> >> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and >> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. >> >> Martin >> > > The first one is there: > > ldapsearch -D "cn=Directory Manager” -W -LLL -x -b > cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" > dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int > ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr > ict,dc=int > ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr > ict,dc=int > memberPrincipal: HTTP/[email protected] > <mailto:HTTP/[email protected]> > memberPrincipal: HTTP/[email protected] > <mailto:HTTP/[email protected]> > memberPrincipal: HTTP/[email protected] > <mailto:HTTP/[email protected]> > memberPrincipal: HTTP/[email protected] > <mailto:HTTP/[email protected]> > memberPrincipal: HTTP/[email protected] > <mailto:HTTP/[email protected]> > memberPrincipal: HTTP/[email protected] > <mailto:HTTP/[email protected]> > cn: ipa-http-delegation > objectClass: ipaKrb5DelegationACL > objectClass: groupOfPrincipals > objectClass: top > > > But not the second one: > > ldapsearch -D "cn=Directory Manager” -W -LLL -x -b > cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" > No such object (32) > Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int > > > Also what is strange is that I got the error only on one of the replicas, the > other one went through without any hiccups.
Ok, I think I misguided you with the second DN, the real DN should be "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int", see /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being loaded. The key here is to check the error message of ldapmodify that was run on the failing replica, try to search in /var/log/ipareplica-install.log. Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
