Sorry it's taken a while to get back to you, I was gone for a few weeks. This seemed to get us back up and running and things looked like they were working, but looking at the logs, it appears we're hitting the next issue that is going to eventually bite us. :)
Here's what I'm seeing in the logs: > [15/Sep/2015:08:57:29 -0400] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "david": 32 > [15/Sep/2015:09:56:20 -0400] ipalockout_preop - [file ipa_lockout.c, > line 749]: Failed to retrieve entry "emily": 32 > [15/Sep/2015:09:56:20 -0400] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "emily": 32 > [15/Sep/2015:11:50:34 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] > No original_tombstone for changenumber=102502,cn=changelog!! > [15/Sep/2015:12:02:19 -0400] ipalockout_preop - [file ipa_lockout.c, > line 749]: Failed to retrieve entry "tina": 32 > [15/Sep/2015:12:02:19 -0400] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "tina": 32 I've found some references to this stuff in google searches, but I'm not real clear on what the implications are, nor how to go about understanding it well enough to know the right fix. There are two hosts (ipa and ipa2). These logs are from the "ipa" server, the one I had to rebuild. I do eventually get this: > [15/Sep/2015:12:58:46 -0400] NSMMReplicationPlugin - > agmt="cn=meToipa2.XXX" (ipa2:389): Replication bind with GSSAPI auth > resumed ...but the original_tombstone thing makes me thing something is still not in sync. Any clues as to what else I might need to do to make sure this server is back in 100% working order? Thanks, Ben On 8/24/15 2:42 AM, Martin Kosek wrote: >> > I fear this means that something is still not properly in sync and will >> > eventually come back to bite me. Any ideas what's going on here, and >> > how to fix it? > Yup, this looks as something that can eventually bite you. It looks like your > replica's CA database got somehow corrupted and stopped replicating with other > master. This could lead to outdated data on the replica, like certificates, > CRL, etc. > > You can re-initialize the Dogtag database from other healthy master with CA, > using "ipa-csreplica-manage" command. Some advise should be for example here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology.html#initialize > > (Note that we need "ipa-csreplica-manage" in this case, as the reported faulty > agreement is Dogtag/CA agreement) -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
