Janelle wrote:
On 6/15/15 6:36 AM, Rob Crittenden wrote:
Janelle wrote:
Good morning and happy Monday,

I have a strange problem. Wondering if anyone has seen this before in
trying to run an ipa migrate-ds?

ipa: ERROR: The search criteria was not specific enough. Expected 1 and
found 2.

The migration worked previously, but now, in order to try and update
some missing accounts that were added, now it no longer works and
generates this error. I can't find anyway to get verbose information to
found out what it is finding "2" of?

Usually means there is a replication conflict entry. You may be able
to get more details on what failed by looking at the LDAP access log
of both LDAP servers, though I guess I'd expect this happened locally
on the IPA box.

rob

I found the problem, but now when trying to re-init from a good server
using ipa-replica-manage re-initialize, I get:

TLS error -8172:Peer's certificate issuer has been marked as not trusted
by the user.

But how does THIS happen??
~J

I don't know, I'd be curious to know if you can tell more context around where it failed (it may be opaque, or at least you'd have to dig carefully through both access logs to find it).

The first thing that happens is the agreement is looked up on both sides, the both sides are enabled, then a force sync is done, then replication is reinitialized. It could blow up at any point.

Given that it sounds like you are deploying multiple IPA installations, potentially with the same realm name, is it possible that you reinitialized from a master unknown to the server (e.g. in a different IPA install)?

That or the 389-ds NSS database on one side or another was modified somehow. It must have worked at one time because TLS is used for replication during the installation.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to