On 06.05.2016 21:29, Devin Acosta wrote:
I am running the latest FreeIPA on CentOS 7.2.

I noticed I had a “nsds5ReplConflict” with an item, i tried to follow the webpage to rename and delete but that failed. I then tried to have ipa1-i2x reload from ipa01-aws instance, now now it seems to have gone maybe worse? can you please advise how to get back to a healthy system. I initially added a system account as recommended so i could have say like Jira/Confluence do User searches against IDM.

[dacosta@ipa1-i2x ~]$ ldapsearch -x -D "cn=directory manager" -w ‘password' -b "dc=rsinc,dc=local" "nsds5ReplConflict=*" \* nsds5ReplConflict
# extended LDIF
#
# LDAPv3
# base <dc=rsinc,dc=local> with scope subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#

# 7ad08581-059911e6-b55c83a4-93228cdf + ldapsearch, sysaccounts, etc, rsinc.loc
al
dn: nsuniqueid=7ad08581-059911e6-b55c83a4-93228cdf+uid=ldapsearch,cn=sysaccoun
ts,cn=etc,dc=rsinc,dc=local
userPassword:: e1NTSEF9M3krdTh5TkdYV=
=
uid: ldapsearch
objectClass: account
objectClass: simplesecurityobject
objectClass: top
nsds5ReplConflict: namingConflict uid=ldapsearch,cn=sysaccounts,cn=etc,dc=rsin
c,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[dacosta@ipa1-i2x ~]$ ./ipa_check_consistency -H "ipa1-i2x.local ipa01-aws.rsinc.local" -d RSINC.LOCAL
Directory Manager password:
FreeIPA servers: ipa1-i2x ipa01-aws STATE
===================================================
Active Users ERROR 33 FAIL
Stage Users ERROR 0 FAIL
Preserved Users ERROR 0 FAIL
User Groups ERROR 7 FAIL
Hosts ERROR 82 FAIL
Host Groups ERROR 1 FAIL
HBAC Rules ERROR 2 FAIL
SUDO Rules ERROR 4 FAIL
DNS Zones ERROR 14 FAIL
LDAP Conflicts ERROR YES FAIL
Anonymous BIND ERROR on FAIL
Replication Status ipa02-aws 0
ipa1-i2x 0
===================================================


[dacosta@ipa1-i2x ~]$ ipa-replica-manage list
ipa: WARNING: session memcached servers not running
ipa02-aws.rsinc.local: master
ipa01-aws.rsinc.local: master
ipa1-i2x.rsinc.local: master


Devin Acosta
Linux Certified Engineer
e: de...@linuxguru.co




hello, it is not clear to me what is wrong, do you have there conflicts?
The output of command is not tool supported by freeIPA, I have no idea what is wrong.

to check replication status for each IPA server run
ipa-replica-manage -v list <hostname>

can you kinit on all replicas?
can you do ldapsearch as directory manager on each server?

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to