Just sure now one side flow is broken, if u update server1 , it 100% work server2 will upgrade. but if u update server2 there is chance non-syn e.g it create username in server1 with posfix grp >ok but in server2 it only created posfix grp but no username /attribute it occur serveral times. I have to use command line grp del ...etc. to force del them and recreate them.,.
Result below: server2.abc.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-04 00:33:18+00:00 Directory Manager password: server1.abc.com: replica last init status: 0 Total update succeeded last init ended: 2014-06-20 10:07:02+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-04 01:14:19+00:00 [root@(LIVE)server2 ~]$ ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING 2014-07-04 1:34 GMT+08:00 Rob Crittenden <[email protected]>: > [email protected] wrote: > > Yes they are running. Server 1 can syn to server2 but error at server 2 > > like this. > > How do you know server 1 is syncing with server 2? > > On server 1 I'd run: > > ipa-replica-manage list -v `hostname` > > This will show the replication status. > > And what does ipactl status show on server 2? > > rob > > > > > 2014/7/3 下午10:14 於 "Rob Crittenden" <[email protected] > > <mailto:[email protected]>> 寫道: > > > > Please keep relies on the list. > > > > [email protected] <mailto:[email protected]> wrote: > > > I saw the error beloe and errpr log is it related ? > > > > > > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - > Error: > > > could not perform interactive bind for id [] mech [GSSAPI]: LDAP > error > > > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: > Unspecified > > > GSS failure. Minor code may provide more information (Credentials > > cache > > > file '/tmp/krb5cc_492' not found)) errno 0 (Success) > > > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not > > perform > > > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > > > > I believe this is fairly normal on a new startup. It has to start > > somewhere. The expired ticket errors below are unexpected since there > > are so many of them. Is your KDC running? > > > > ipactl status > > > > rob > > > > > > > > > > > 2014-07-02 14:15 GMT+08:00 <[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>>: > > > > > > > > > this is the error log i found at 2.abc.com <http://2.abc.com> > > <http://2.abc.com> > > > > > > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - > > > Error: could not perform interactive bind for id [] mech > [GSSAPI]: > > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > > > Error: Unspecified GSS failure. Minor code may provide more > > > information (Ticket expired)) errno 0 (Success) > > > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - > > > Error: could not perform interactive bind for id [] mech > [GSSAPI]: > > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > > > Error: Unspecified GSS failure. Minor code may provide more > > > information (Ticket expired)) errno 0 (Success) > > > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not > > > perform interactive bind for id [] mech [GSSAPI]: error -2 > > (Local error) > > > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin - > > > agmt="cn=meTo1.abc.com <http://meTo1.abc.com> > > <http://meTo1.abc.com>" (central:389): > > > Replication bind with GSSAPI auth failed: LDAP error -2 (Local > > > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS > > > failure. Minor code may provide more information (Ticket > > expired)) > > > [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind - > > > Error: could not perform interactive bind for id [] mech > [GSSAPI]: > > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > > > Error: Unspecified GSS failure. Minor code may provide more > > > information (Ticket expired)) errno 0 (Success) > > > [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind - > > > Error: could not perform interactive bind for id [] mech > [GSSAPI]: > > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > > > Error: Unspecified GSS failure. Minor code may provide more > > > information (Ticket expired)) errno 0 (Success) > > > [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not > > > perform interactive bind for id [] mech [GSSAPI]: error -2 > > (Local error) > > > [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - > > > Error: could not perform interactive bind for id [] mech > [GSSAPI]: > > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > > > Error: Unspecified GSS failure. Minor code may provide more > > > information (Ticket expired)) errno 0 (Success) > > > [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - > > > Error: could not perform interactive bind for id [] mech > [GSSAPI]: > > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > > > Error: Unspecified GSS failure. Minor code may provide more > > > information (Ticket expired)) errno 0 (Success) > > > [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could not > > > perform interactive bind for id [] mech [GSSAPI]: error -2 > > (Local error) > > > > > > > > > 2014-07-02 12:32 GMT+08:00 <[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > > > yes on node 1 it is happening only node2 fail connect > > > > > > ipa-replica-manage list 2.abc.com <http://2.abc.com> > > <http://2.abc.com> > > > Directory Manager password: > > > > > > 1.abc.com <http://1.abc.com> <http://1.abc.com>: replica > > > > > > > > > > > > 2014-06-30 20:59 GMT+08:00 Rob Crittenden > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected] > >>>: > > > > > > Barry wrote: > > > > Hi: > > > > > > > > Server 1 and Sever 2 is cluster master master > > orginally , > > > but server 2 > > > > fail to connect server1 ,. > > > > > > > > ipa-replica-manage list shown Can't contact LDAP > server > > > > > > > > But as server1 it is ok master server1 master > server2 , > > > > > > > > It seem affect if update on server 1 then it syn to > > > server2 no problem > > > > but sometimes if modfy in server2 if fail to update > > server1. > > > > > > > > Any idea to rebuild mutual relationship.? > > > > > > The first step is to diagnose what is wrong. I've > already > > > suggested a > > > few things, > > > > > > https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html > > > > > > rob > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing > > list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go To http://freeipa.org for more info on the project > > > > > > > > > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
