On 07/04/2014 03:28 AM, barry...@gmail.com wrote:
FOUND something strange that server 1 replicate to itself rather than
server2
Server1 access log > Wrong
[04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from
192.168.15.89( server1 ) to 192.168.15.89 (server1)
Are you sure that this connection is a replication session? Can you
post all of the operations from the access log from conn=936207?
Server 2 access log > OK
[04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74 connection from
192.168.15.89(server2) to 192.168.15.88 (server2)
2014-07-04 9:25 GMT+08:00 <barry...@gmail.com
<mailto:barry...@gmail.com>>:
Just sure now one side flow is broken, if u update server1 , it
100% work server2 will upgrade.
but if u update server2 there is chance non-syn e.g it create
username in server1 with posfix grp >ok
but in server2 it only created posfix grp but no username
/attribute it occur serveral times. I have to use command line grp
del ...etc. to force del them and recreate them.,.
Result below:
server2.abc.com <http://server2.abc.com>: replica
last init status: None
last init ended: None
last update status: 0 Replica acquired successfully: Incremental
update succeeded
last update ended: 2014-07-04 00:33:18+00:00
Directory Manager password:
server1.abc.com <http://server1.abc.com>: replica
last init status: 0 Total update succeeded
last init ended: 2014-06-20 10:07:02+00:00
last update status: 0 Replica acquired successfully: Incremental
update succeeded
last update ended: 2014-07-04 01:14:19+00:00
[root@(LIVE)server2 ~]$ ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
2014-07-04 1:34 GMT+08:00 Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>:
barry...@gmail.com <mailto:barry...@gmail.com> wrote:
> Yes they are running. Server 1 can syn to server2 but error
at server 2
> like this.
How do you know server 1 is syncing with server 2?
On server 1 I'd run:
ipa-replica-manage list -v `hostname`
This will show the replication status.
And what does ipactl status show on server 2?
rob
>
> 2014/7/3 ??10:14 ? "Rob Crittenden" <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>
> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> ??:
>
> Please keep relies on the list.
>
> barry...@gmail.com <mailto:barry...@gmail.com>
<mailto:barry...@gmail.com <mailto:barry...@gmail.com>> wrote:
> > I saw the error beloe and errpr log is it related ?
> >
> > 29/Jun/2014:02:00:58 +0800]
slapd_ldap_sasl_interactive_bind - Error:
> > could not perform interactive bind for id [] mech
[GSSAPI]: LDAP error
> > -2 (Local error) (SASL(-1): generic failure: GSSAPI
Error: Unspecified
> > GSS failure. Minor code may provide more information
(Credentials
> cache
> > file '/tmp/krb5cc_492' not found)) errno 0 (Success)
> > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error:
could not
> perform
> > interactive bind for id [] mech [GSSAPI]: error -2
(Local error)
>
> I believe this is fairly normal on a new startup. It has
to start
> somewhere. The expired ticket errors below are
unexpected since there
> are so many of them. Is your KDC running?
>
> ipactl status
>
> rob
>
> >
> >
> > 2014-07-02 14:15 GMT+08:00 <barry...@gmail.com
<mailto:barry...@gmail.com>
> <mailto:barry...@gmail.com <mailto:barry...@gmail.com>>
<mailto:barry...@gmail.com <mailto:barry...@gmail.com>
> <mailto:barry...@gmail.com <mailto:barry...@gmail.com>>>>:
> >
> >
> > this is the error log i found at 2.abc.com
<http://2.abc.com> <http://2.abc.com>
> <http://2.abc.com>
> >
> > [30/Jun/2014:12:51:31 +0800]
slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id
[] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic
failure: GSSAPI
> > Error: Unspecified GSS failure. Minor code may
provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:31 +0800]
slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id
[] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic
failure: GSSAPI
> > Error: Unspecified GSS failure. Minor code may
provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind -
Error: could not
> > perform interactive bind for id [] mech [GSSAPI]:
error -2
> (Local error)
> > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin -
> > agmt="cn=meTo1.abc.com <http://meTo1.abc.com>
<http://meTo1.abc.com>
> <http://meTo1.abc.com>" (central:389):
> > Replication bind with GSSAPI auth failed: LDAP
error -2 (Local
> > error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS
> > failure. Minor code may provide more information
(Ticket
> expired))
> > [30/Jun/2014:12:51:34 +0800]
slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id
[] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic
failure: GSSAPI
> > Error: Unspecified GSS failure. Minor code may
provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:35 +0800]
slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id
[] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic
failure: GSSAPI
> > Error: Unspecified GSS failure. Minor code may
provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind -
Error: could not
> > perform interactive bind for id [] mech [GSSAPI]:
error -2
> (Local error)
> > [30/Jun/2014:12:51:40 +0800]
slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id
[] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic
failure: GSSAPI
> > Error: Unspecified GSS failure. Minor code may
provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:40 +0800]
slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id
[] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic
failure: GSSAPI
> > Error: Unspecified GSS failure. Minor code may
provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind -
Error: could not
> > perform interactive bind for id [] mech [GSSAPI]:
error -2
> (Local error)
> >
> >
> > 2014-07-02 12:32 GMT+08:00 <barry...@gmail.com
<mailto:barry...@gmail.com>
> <mailto:barry...@gmail.com <mailto:barry...@gmail.com>>
> > <mailto:barry...@gmail.com
<mailto:barry...@gmail.com> <mailto:barry...@gmail.com
<mailto:barry...@gmail.com>>>>:
> >
> > yes on node 1 it is happening only node2 fail
connect
> >
> > ipa-replica-manage list 2.abc.com
<http://2.abc.com> <http://2.abc.com>
> <http://2.abc.com>
> > Directory Manager password:
> >
> > 1.abc.com <http://1.abc.com> <http://1.abc.com>
<http://1.abc.com>: replica
> >
> >
> >
> > 2014-06-30 20:59 GMT+08:00 Rob Crittenden
> <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
> > <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>>>:
> >
> > Barry wrote:
> > > Hi:
> > >
> > > Server 1 and Sever 2 is cluster master
master
> orginally ,
> > but server 2
> > > fail to connect server1 ,.
> > >
> > > ipa-replica-manage list shown Can't
contact LDAP server
> > >
> > > But as server1 it is ok master server1
master server2 ,
> > >
> > > It seem affect if update on server 1
then it syn to
> > server2 no problem
> > > but sometimes if modfy in server2 if
fail to update
> server1.
> > >
> > > Any idea to rebuild mutual relationship.?
> >
> > The first step is to diagnose what is
wrong. I've already
> > suggested a
> > few things,
> >
>
https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html
> >
> > rob
> >
> > --
> > Manage your subscription for the
Freeipa-users mailing
> list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on
the project
> >
> >
> >
> >
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
