On 02/09/2015 05:16 PM, Chris Mohler wrote: > On 02/09/2015 10:18 AM, Martin Kosek wrote: >> On 02/07/2015 12:27 AM, Chris Mohler wrote: >>> I'm having some troubles. I have an older IPA install Version 3.0.0. on >>> Centos >>> 6.6. It's currently the only master for my domain. I have about 4k user >>> accounts on here and it's a live system called "idm" >>> >>> I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having. >>> (clients can't auth unless service sssd is restarted multiple times "10 >>> (User >>> not known to the underlying authentication module") I think this is possibly >>> unrelated and the topic for another thread. >>> >>> I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's >>> called >>> "ipa" >> Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked >> in, so you can also use that platform if you are used to it. >> >>> on the master "idm" I ran "ipa-replica-prepare" and transfered the file to >>> the >>> future replica "ipa" Then I ran the install replica script >>> ipa-replica-install >>> --setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg >>> Things went well until it failed >>> >>> [24/35]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> Update in progress, 133 seconds elapsed >>> Update in progress yet not in progress >>> >>> Update in progress yet not in progress >>> >>> Update in progress yet not in progress >>> >>> [idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update >>> abortedLDAP error: Referral] >>> >>> [error] RuntimeError: Failed to start replication >>> >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> Please help I'm getting nowhere by myself. >> Can you please look on the master you are replicating from and look for >> errors >> in /var/log/messages or DS errors log? >> >> Maybe you will see messages like "ns-slapd: encoded packet size too big >> (xxxxxx >>> 65536)" that are know to pop up more with CentOS 6.6. > Hi Martin, > Thanks for the reply and help I appreciate it. > >> Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked >> in, so you can also use that platform if you are used to it. > Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went > Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally > uncomfortable with either version. > > That Said. Is there any reason that I could or should not have a replica on a > Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is > the > more the merrier.
It should just work. Just note that in case of Fedora Server, these are upstream/Fedora bits which are only tested upstream. So if you for example break something in Fedora 21 (not likely to happen though ;-) and then get the change *replicated* to RHEL production instance, I do not think Red Hat support would be happy with that. Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in your production RHEL instance is it would upgrade all the data for 4.2 level - which should get more downstream testing before Red Hat can rubber stamp it. TLDR; if you are happy with the upstream level of support (this list/IRC/Trac), knock yourself out :-) >> Can you please look on the master you are replicating from and look for >> errors >> in /var/log/messages or DS errors log? > > I tried to setup the replica again just now so I have some fresh logs. > > From the Dirserv error log > [08/Feb/2015:22:14:48 -0500] - 389-Directory/126.96.36.199 B2014.314.1342 > starting up > [08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up > under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu > [08/Feb/2015:22:14:50 -0500] - slapd started. Listening on All Interfaces > port > 389 for LDAP requests > [08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS > requests > [08/Feb/2015:22:14:50 -0500] - Listening on > /var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests > [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - > agmt="cn=meToipa.cs.oberlin.edu" (ipa:389): Schema replication update failed: > Server is unwilling to perform > [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to > replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total > update session. > [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of > replica "agmt="cn=meToipa.cs.oberlin.edu" (ipa:389)" > > To be fair and not duplicate efforts I have had the following error > [08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B > is > less than db size 12115968B; We recommend to increase the > entry cache size nsslapd-cachememsize. > > To which I have asked another question "how do I change the entry cache size" > https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html > I now get additional errors which I would guess are possibly related. IMO, they this should not be related (should not break replication). I do not see anything useful in the error log though. Did you also check /var/log/messages for the errors log I sent? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project