> [root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectclass=nsDSWindowsReplicationAgreement > Enter LDAP Password: > dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain > \2Cdc\3Dnet,cn=mapping tree,cn=config > nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net > cn: meToofficedc2.office.addomain.net > nsds7NewWinGroupSyncEnabled: false > objectClass: nsDSWindowsReplicationAgreement > objectClass: top > nsDS5ReplicaTransportInfo: TLS > description: me to officedc2.office.addomain.net > nsDS5ReplicaRoot: dc=ipadomain,dc=net > nsDS5ReplicaHost: officedc2.office.addomain.net > nsds5replicaTimeout: 120 > nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service > Account,dc=office,dc=addomain,dc=net > nsds7NewWinUserSyncEnabled: true > nsDS5ReplicaPort: 389 > nsds7WindowsDomain: ipadomain.net > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsDS5ReplicaBindMethod: simple > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG > RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm > I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= > nsds7DirsyncCookie:: > TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA > ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 > 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm > PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP > /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA > AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU > mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 > NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA > nsds50ruv: {replicageneration} 553fe9bb000000040000 > nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 > 000000040000 5575dff8000000040000 > nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c > 4000000030000 557244db001700030000 > nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne > t:389} 5575df5e > nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n > et:389} 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150608183216Z > nsds5replicaLastUpdateEnd: 20150608183216Z > nsds5replicaChangesSentSinceStartup:: NDozMC8wIA== > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental > upd > ate succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > ===================================================== > hmmm, problem still exists and not sure how to fix it > ===================================================== > >
This is also really strange, when I run an ipactl restart I get the following weird stuff in my log. messages about ACL targets not existing and a strange kerberos error where the host can't find it's own keytab or ldap service record? [08/Jun/2015:19:04:06 +0000] - 389-Directory/1.3.3.8 B2015.040.128 starting up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING: userRoot: entry cache size 512000B is less than db size 12500992B; We recommend to increase the entry cache size nsslapd-cachememsize. [08/Jun/2015:19:04:06 +0000] - WARNING: ipaca: entry cache size 512000B is less than db size 1343488B; We recommend to increase the entry cache size nsslapd-cachememsize. [08/Jun/2015:19:04:06 +0000] - WARNING: changelog: entry cache size 512000B is less than db size 45654016B; We recommend to increase the entry cache size nsslapd-cachememsize. [08/Jun/2015:19:04:06 +0000] - resizing db cache size: 400000 -> 320000 [08/Jun/2015:19:04:06 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipadomain,dc=net [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target ou=sudoers,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=users,cn=compat,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which should be added before the CoS Definition. [08/Jun/2015:19:04:08 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/dc1.ipadomain....@ipadomain.net] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [08/Jun/2015:19:04:08 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which should be added before the CoS Definition. [08/Jun/2015:19:04:08 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [08/Jun/2015:19:04:08 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [08/Jun/2015:19:04:08 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [08/Jun/2015:19:04:08 +0000] - Listening on All Interfaces port 636 for LDAPS requests [08/Jun/2015:19:04:08 +0000] - Listening on /var/run/slapd-IPADOMAIN-NET.socket for LDAPI requests [08/Jun/2015:19:04:38 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress) [08/Jun/2015:19:04:38 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [08/Jun/2015:19:04:39 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth resumed -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project