FOUND something strange that server 1 replicate to itself rather than server2
Server1 access log > Wrong [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from 192.168.15.89( server1 ) to 192.168.15.89 (server1) Server 2 access log > OK [04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74 connection from 192.168.15.89(server2) to 192.168.15.88 (server2) 2014-07-04 9:25 GMT+08:00 <[email protected]>: > Just sure now one side flow is broken, if u update server1 , it 100% work > server2 will upgrade. > but if u update server2 there is chance non-syn e.g it create username in > server1 with posfix grp >ok > but in server2 it only created posfix grp but no username /attribute it > occur serveral times. I have to use command line grp del ...etc. to force > del them and recreate them.,. > > Result below: > > server2.abc.com: replica > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental update > succeeded > last update ended: 2014-07-04 00:33:18+00:00 > > Directory Manager password: > > server1.abc.com: replica > last init status: 0 Total update succeeded > last init ended: 2014-06-20 10:07:02+00:00 > last update status: 0 Replica acquired successfully: Incremental update > succeeded > last update ended: 2014-07-04 01:14:19+00:00 > > > > [root@(LIVE)server2 ~]$ ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > > > 2014-07-04 1:34 GMT+08:00 Rob Crittenden <[email protected]>: > > [email protected] wrote: >> > Yes they are running. Server 1 can syn to server2 but error at server 2 >> > like this. >> >> How do you know server 1 is syncing with server 2? >> >> On server 1 I'd run: >> >> ipa-replica-manage list -v `hostname` >> >> This will show the replication status. >> >> And what does ipactl status show on server 2? >> >> rob >> >> > >> > 2014/7/3 下午10:14 於 "Rob Crittenden" <[email protected] >> > <mailto:[email protected]>> 寫道: >> > >> > Please keep relies on the list. >> > >> > [email protected] <mailto:[email protected]> wrote: >> > > I saw the error beloe and errpr log is it related ? >> > > >> > > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - >> Error: >> > > could not perform interactive bind for id [] mech [GSSAPI]: LDAP >> error >> > > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: >> Unspecified >> > > GSS failure. Minor code may provide more information (Credentials >> > cache >> > > file '/tmp/krb5cc_492' not found)) errno 0 (Success) >> > > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not >> > perform >> > > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> > >> > I believe this is fairly normal on a new startup. It has to start >> > somewhere. The expired ticket errors below are unexpected since >> there >> > are so many of them. Is your KDC running? >> > >> > ipactl status >> > >> > rob >> > >> > > >> > > >> > > 2014-07-02 14:15 GMT+08:00 <[email protected] >> > <mailto:[email protected]> <mailto:[email protected] >> > <mailto:[email protected]>>>: >> > > >> > > >> > > this is the error log i found at 2.abc.com <http://2.abc.com> >> > <http://2.abc.com> >> > > >> > > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind >> - >> > > Error: could not perform interactive bind for id [] mech >> [GSSAPI]: >> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI >> > > Error: Unspecified GSS failure. Minor code may provide more >> > > information (Ticket expired)) errno 0 (Success) >> > > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind >> - >> > > Error: could not perform interactive bind for id [] mech >> [GSSAPI]: >> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI >> > > Error: Unspecified GSS failure. Minor code may provide more >> > > information (Ticket expired)) errno 0 (Success) >> > > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could >> not >> > > perform interactive bind for id [] mech [GSSAPI]: error -2 >> > (Local error) >> > > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin - >> > > agmt="cn=meTo1.abc.com <http://meTo1.abc.com> >> > <http://meTo1.abc.com>" (central:389): >> > > Replication bind with GSSAPI auth failed: LDAP error -2 (Local >> > > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS >> > > failure. Minor code may provide more information (Ticket >> > expired)) >> > > [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind >> - >> > > Error: could not perform interactive bind for id [] mech >> [GSSAPI]: >> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI >> > > Error: Unspecified GSS failure. Minor code may provide more >> > > information (Ticket expired)) errno 0 (Success) >> > > [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind >> - >> > > Error: could not perform interactive bind for id [] mech >> [GSSAPI]: >> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI >> > > Error: Unspecified GSS failure. Minor code may provide more >> > > information (Ticket expired)) errno 0 (Success) >> > > [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could >> not >> > > perform interactive bind for id [] mech [GSSAPI]: error -2 >> > (Local error) >> > > [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind >> - >> > > Error: could not perform interactive bind for id [] mech >> [GSSAPI]: >> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI >> > > Error: Unspecified GSS failure. Minor code may provide more >> > > information (Ticket expired)) errno 0 (Success) >> > > [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind >> - >> > > Error: could not perform interactive bind for id [] mech >> [GSSAPI]: >> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI >> > > Error: Unspecified GSS failure. Minor code may provide more >> > > information (Ticket expired)) errno 0 (Success) >> > > [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could >> not >> > > perform interactive bind for id [] mech [GSSAPI]: error -2 >> > (Local error) >> > > >> > > >> > > 2014-07-02 12:32 GMT+08:00 <[email protected] >> > <mailto:[email protected]> >> > > <mailto:[email protected] <mailto:[email protected]>>>: >> > > >> > > yes on node 1 it is happening only node2 fail connect >> > > >> > > ipa-replica-manage list 2.abc.com <http://2.abc.com> >> > <http://2.abc.com> >> > > Directory Manager password: >> > > >> > > 1.abc.com <http://1.abc.com> <http://1.abc.com>: replica >> > > >> > > >> > > >> > > 2014-06-30 20:59 GMT+08:00 Rob Crittenden >> > <[email protected] <mailto:[email protected]> >> > > <mailto:[email protected] <mailto:[email protected] >> >>>: >> > > >> > > Barry wrote: >> > > > Hi: >> > > > >> > > > Server 1 and Sever 2 is cluster master master >> > orginally , >> > > but server 2 >> > > > fail to connect server1 ,. >> > > > >> > > > ipa-replica-manage list shown Can't contact LDAP >> server >> > > > >> > > > But as server1 it is ok master server1 master >> server2 , >> > > > >> > > > It seem affect if update on server 1 then it syn to >> > > server2 no problem >> > > > but sometimes if modfy in server2 if fail to update >> > server1. >> > > > >> > > > Any idea to rebuild mutual relationship.? >> > > >> > > The first step is to diagnose what is wrong. I've >> already >> > > suggested a >> > > few things, >> > > >> > >> https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html >> > > >> > > rob >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing >> > list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go To http://freeipa.org for more info on the project >> > > >> > > >> > > >> > > >> > >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
