On 08/12/2016 04:10 PM, Louis Francoeur wrote:

Since the rpm update to ipa-server-dns-4.2.0-15.0.1.el7.centos.18.x86_64 
(running on Centos 7),

most of my replication started to failed with:

what do you mean by "most of", if some servers still work and others don't is 
there something different ?

All servers were created as a replica from server3

Server1 - 3 of 4 replication failing

Server2 - 2 of 2 replication failing

Server3 - 1 of 6 replication failing - Originating server for all others

Server4 - 4 of 4 replication failing

Server5 - 1 of 2 replication failing

Server6 - 3 of 3 replication failing

Server7 - 2 of 2 replication failing

Server8 - 3 of 3 replication failing

Server9 - all ok (only 1 replication)

Server10 - 1 of 1 replication failing

last update status: -1 Incremental update has failed and requires administrator 
actionLDAP error: Can't contact LDAP server

what is in the error log of directory server ? Identify one broken replication 
connection and check both supplier and consumer side

This is the one i see more often:

attrlist_replace - attr_replace (nsslapd-referral, 
ldap://server.domain.local:389/o%3Dipaca) failed.

Connection seems fine both side

I saw this but i am not sure i understand what to look for


ldapsearch -ZZ -h server.domain.local -D "cn=Directory Manager" -W -b "o=ipaca" 
| grep "nsds50ruv\|nsDS5ReplicaId"

nsDS5ReplicaId: 66
nsds50ruv: {replicageneration} 56d0badb000000600000
nsds50ruv: {replica 66 ldap://server2.domain.local:389} 56e85e4600
nsds50ruv: {replica 96 ldap://server3.domain.local:389} 56d0bae10
nsds50ruv: {replica 71 ldap://server2.domain.local:389} 56e857a000
nsds50ruv: {replica 76 ldap://server1.domain.local:389} 56e84f7f00
nsds50ruv: {replica 81 ldap://server5.domain.local:389} 56e31c930
nsds50ruv: {replica 86 ldap://server8.domain.local:389} 56e313230
nsds50ruv: {replica 91 ldap://server8.domain.local:389} 56d8a2b00
nsds50ruv: {replica 97 ldap://server6.domain.local:389} 56d0bb000
nsds50ruv: {replica 61 ldap://server7.domain.local:389} 56f190110
nsds50ruv: {replica 1095 ldap://server9.domain.local:389} 572a48e7000
nsds50ruv: {replica 1090 ldap://server9.domain.local:389} 572a582f000
nsds50ruv: {replica 1085 ldap://server9.domain.local:389} 572b4af6000
nsds50ruv: {replica 56 ldap://server9.domain.local:389} 57333a4900000
nsds50ruv: {replica 1080 ldap://server10.domain.local:389} 5733810500

The others errors i saw were:

NSMMReplicationPlugin - agmt="cn=meToserver1.domain.local" (server1:389): 
Warning: unable to send endReplication extended operation (Can't contact LDAP 

NSMMReplicationPlugin - process_postop: Failed to apply update 
(579fa2a4000000060000) error (-1).  Aborting replication session(conn=23243 

Then setup contains about 10 ipa servers in 5 different locations.

But i went and ran an ipa-replica-conncheck i get this:

# ipa-replica-conncheck --replica server.domain.local
Check connection from master to remote replica 'server.domain.local':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

I even ran the following without issue:

# kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname`
# klist
# ldapsearch -Y GSSAPI -h `hostname` -b "" -s base
# ldapsearch -Y GSSAPI -h the.other.master.fqdn -b "" -s base

Not really sure what to check for next?

Any hint?


Louis Francoeur

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to