On 08/12/2016 04:10 PM, Louis Francoeur wrote:
Since the rpm update to ipa-server-dns-4.2.0-15.0.1.el7.centos.18.x86_64
(running on Centos 7),
most of my replication started to failed with:
what do you mean by "most of", if some servers still work and others don't is
there something different ?
All servers were created as a replica from server3
Server1 - 3 of 4 replication failing
Server2 - 2 of 2 replication failing
Server3 - 1 of 6 replication failing - Originating server for all others
Server4 - 4 of 4 replication failing
Server5 - 1 of 2 replication failing
Server6 - 3 of 3 replication failing
Server7 - 2 of 2 replication failing
Server8 - 3 of 3 replication failing
Server9 - all ok (only 1 replication)
Server10 - 1 of 1 replication failing
last update status: -1 Incremental update has failed and requires administrator
actionLDAP error: Can't contact LDAP server
what is in the error log of directory server ? Identify one broken replication
connection and check both supplier and consumer side
This is the one i see more often:
attrlist_replace - attr_replace (nsslapd-referral,
ldap://server.domain.local:389/o%3Dipaca) failed.
Connection seems fine both side
I saw this but i am not sure i understand what to look for
https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html
ldapsearch -ZZ -h server.domain.local -D "cn=Directory Manager" -W -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"
nsDS5ReplicaId: 66
nsds50ruv: {replicageneration} 56d0badb000000600000
nsds50ruv: {replica 66 ldap://server2.domain.local:389} 56e85e4600
nsds50ruv: {replica 96 ldap://server3.domain.local:389} 56d0bae10
nsds50ruv: {replica 71 ldap://server2.domain.local:389} 56e857a000
nsds50ruv: {replica 76 ldap://server1.domain.local:389} 56e84f7f00
nsds50ruv: {replica 81 ldap://server5.domain.local:389} 56e31c930
nsds50ruv: {replica 86 ldap://server8.domain.local:389} 56e313230
nsds50ruv: {replica 91 ldap://server8.domain.local:389} 56d8a2b00
nsds50ruv: {replica 97 ldap://server6.domain.local:389} 56d0bb000
nsds50ruv: {replica 61 ldap://server7.domain.local:389} 56f190110
nsds50ruv: {replica 1095 ldap://server9.domain.local:389} 572a48e7000
nsds50ruv: {replica 1090 ldap://server9.domain.local:389} 572a582f000
nsds50ruv: {replica 1085 ldap://server9.domain.local:389} 572b4af6000
nsds50ruv: {replica 56 ldap://server9.domain.local:389} 57333a4900000
nsds50ruv: {replica 1080 ldap://server10.domain.local:389} 5733810500
The others errors i saw were:
NSMMReplicationPlugin - agmt="cn=meToserver1.domain.local" (server1:389):
Warning: unable to send endReplication extended operation (Can't contact LDAP
server)
NSMMReplicationPlugin - process_postop: Failed to apply update
(579fa2a4000000060000) error (-1). Aborting replication session(conn=23243
op=6)
Then setup contains about 10 ipa servers in 5 different locations.
But i went and ran an ipa-replica-conncheck i get this:
# ipa-replica-conncheck --replica server.domain.local
Check connection from master to remote replica 'server.domain.local':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): WARNING
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): WARNING
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
I even ran the following without issue:
# kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname`
# klist
# ldapsearch -Y GSSAPI -h `hostname` -b "" -s base
# ldapsearch -Y GSSAPI -h the.other.master.fqdn -b "" -s base
Not really sure what to check for next?
Any hint?
Thanks
Louis Francoeur
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
