On 08/12/2016 04:10 PM, Louis Francoeur wrote:

Since the rpm update to ipa-server-dns-4.2.0-15.0.1.el7.centos.18.x86_64 (running on Centos 7),

most of my replication started to failed with:

what do you mean by "most of", if some servers still work and others don't is there something different ?

last update status: -1 Incremental update has failed and requires administrator actionLDAP error: Can't contact LDAP server

what is in the error log of directory server ? Identify one broken replication connection and check both supplier and consumer side

Then setup contains about 10 ipa servers in 5 different locations.

But i went and ran an ipa-replica-conncheck i get this:

# ipa-replica-conncheck --replica server.domain.local
Check connection from master to remote replica 'server.domain.local':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

I even ran the following without issue:

    # kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname`
    # klist
    # ldapsearch -Y GSSAPI -h `hostname` -b "" -s base
    # ldapsearch -Y GSSAPI -h the.other.master.fqdn -b "" -s base

Not really sure what to check for next?

Any hint?


Louis Francoeur

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to