Hi,

On Fri, 7 Nov 2014, Dmitri Pal wrote:

On 11/07/2014 01:24 AM, Will Sheldon wrote:
On November 6, 2014 at 10:07:54 PM, Dmitri Pal (d...@redhat.com <mailto:d...@redhat.com>) wrote:
On 11/07/2014 12:18 AM, Will Sheldon wrote:

On the whole we are loving FreeIPA, Many thanks and much respect to all involved, we’ve had a great 12-18 months hassle free use out of it - it is a fantastically stable trouble free solution… however now we’ve run into a small issue we (as mere mortals) are finding it hard to resolve :-/

We upgraded our ipa servers (3.0.0-42) to Centos 6.6. everything seems to go well, but one server is behaving oddly. It’s likely not an IPA issue, it also reset it’s hostname somehow after the upgrade (it’s an image in an openstack environment)

If anyone has any pointers as to how to debug I’d be hugely appreciative :)

Two servers, server1.domain.com and server2.domain.com

Server1 can’t push data to server2, there are updates and new records on server1 that do not exist on server2.


from the logs on server1:

[07/Nov/2014:01:33:42 +0000] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to send endReplication extended operation (Can't contact LDAP server) [07/Nov/2014:01:33:47 +0000] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.com" (server2:389): Replication bind with GSSAPI auth resumed [07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to replicate schema: rc=2 [07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.com" (server2:389): Consumer failed to replay change (uniqueid (null), CSN (null)): Can't contact LDAP server(-1). Will retry later.

Try to see
a) Server 1 properly resolves server 2
b) You can connect from server 1 to server 2 using ldapsearch
c) your firewall has proper ports open
d) dirserver on server 2 is actually running

All seems working:

[root@server1 ~]# ldapsearch -x -H ldap://server2.domain.com -s base -b '' namingContexts

Can you try kinit admin and then use kerberos GSSAPI to connect, i.e. -Y switch?

is this resolved? I observe it on my systems, too. Exact same symptoms. ldapsearch with "-Y GSSAPI" works.

Did you find anything in the server2 logs?

On my "server2", I see "sasl_io_recv failed to decode packet for connection #".

Could there be something wrong with default buffer sizes as described in https://bugzilla.redhat.com/show_bug.cgi?id=953653

I have nsslapd-sasl-max-buffer-size: 65536 on both machines, but my database is rather small: ~30 users, <10 hosts and services.

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@server1 ~]#

And:

[root@server2 ~]# /etc/init.d/dirsrv status
dirsrv DOMAIN-COM (pid 1009) is running...
dirsrv PKI-IPA (pid 1083) is running...
[root@server2 ~]#


Check logs on server 2 to see whether it actually sees an attempt to connect, I suspect not, so it is most likely a DNS/FW issue or dir server is not running on 2.


and the servers:

[root@server1 ~]# ipa-replica-manage list -v `hostname`
Directory Manager password:

server2.domain.com: replica
last init status: None
last init ended: None
last update status: 0 Replica acquired successfully: Incremental update started
last update ended: 2014-11-07 01:35:58+00:00
[root@server1 ~]#



[root@server2 ~]# ipa-replica-manage list -v `hostname`
Directory Manager password:

server1.domain.com: replica
last init status: None
last init ended: None
last update status: 0 Replica acquired successfully: Incremental update succeeded
last update ended: 2014-11-07 01:35:43+00:00
[root@server2 ~]#


Mit freundlichen Gruessen/With best regards,

--Daniel.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to