Hi,
On Fri, 7 Nov 2014, Dmitri Pal wrote:
On 11/07/2014 01:24 AM, Will Sheldon wrote:
On November 6, 2014 at 10:07:54 PM, Dmitri Pal ([email protected]
<mailto:[email protected]>) wrote:
On 11/07/2014 12:18 AM, Will Sheldon wrote:
On the whole we are loving FreeIPA, Many thanks and much respect to
all involved, we’ve had a great 12-18 months hassle free use out of
it - it is a fantastically stable trouble free solution… however now
we’ve run into a small issue we (as mere mortals) are finding it hard
to resolve :-/
We upgraded our ipa servers (3.0.0-42) to Centos 6.6. everything
seems to go well, but one server is behaving oddly. It’s likely not
an IPA issue, it also reset it’s hostname somehow after the upgrade
(it’s an image in an openstack environment)
If anyone has any pointers as to how to debug I’d be hugely
appreciative :)
Two servers, server1.domain.com and server2.domain.com
Server1 can’t push data to server2, there are updates and new records
on server1 that do not exist on server2.
from the logs on server1:
[07/Nov/2014:01:33:42 +0000] NSMMReplicationPlugin -
agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to send
endReplication extended operation (Can't contact LDAP server)
[07/Nov/2014:01:33:47 +0000] NSMMReplicationPlugin -
agmt="cn=meToserver2.domain.com" (server2:389): Replication bind with
GSSAPI auth resumed
[07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin -
agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to
replicate schema: rc=2
[07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin -
agmt="cn=meToserver2.domain.com" (server2:389): Consumer failed to replay
change (uniqueid (null), CSN (null)): Can't contact LDAP server(-1). Will
retry later.
Try to see
a) Server 1 properly resolves server 2
b) You can connect from server 1 to server 2 using ldapsearch
c) your firewall has proper ports open
d) dirserver on server 2 is actually running
All seems working:
[root@server1 ~]# ldapsearch -x -H ldap://server2.domain.com -s base -b ''
namingContexts
Can you try kinit admin and then use kerberos GSSAPI to connect, i.e. -Y
switch?
is this resolved? I observe it on my systems, too. Exact same symptoms.
ldapsearch with "-Y GSSAPI" works.
Did you find anything in the server2 logs?
On my "server2", I see "sasl_io_recv failed to decode packet for
connection #".
Could there be something wrong with default buffer sizes as described in
https://bugzilla.redhat.com/show_bug.cgi?id=953653
I have nsslapd-sasl-max-buffer-size: 65536 on both machines, but my
database is rather small: ~30 users, <10 hosts and services.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=domain,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@server1 ~]#
And:
[root@server2 ~]# /etc/init.d/dirsrv status
dirsrv DOMAIN-COM (pid 1009) is running...
dirsrv PKI-IPA (pid 1083) is running...
[root@server2 ~]#
Check logs on server 2 to see whether it actually sees an attempt to
connect, I suspect not, so it is most likely a DNS/FW issue or dir server
is not running on 2.
and the servers:
[root@server1 ~]# ipa-replica-manage list -v `hostname`
Directory Manager password:
server2.domain.com: replica
last init status: None
last init ended: None
last update status: 0 Replica acquired successfully: Incremental update
started
last update ended: 2014-11-07 01:35:58+00:00
[root@server1 ~]#
[root@server2 ~]# ipa-replica-manage list -v `hostname`
Directory Manager password:
server1.domain.com: replica
last init status: None
last init ended: None
last update status: 0 Replica acquired successfully: Incremental update
succeeded
last update ended: 2014-11-07 01:35:43+00:00
[root@server2 ~]#
Mit freundlichen Gruessen/With best regards,
--Daniel.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
