On 09/26/2016 01:36 PM, Natxo Asenjo wrote:
hi,
I recently upgraded a centos 6.8 realm to centos 7.2 and it almost
went correctly.
Now I see some errors in /var/log/dirsrv/slapd-INSTANCENAME/errors
26/Sep/2016:13:20:15 +0200] attrlist_replace - attr_replace
(nsslapd-referral, ldap://kdc03.unix.iriszorg.nl:389/o%3Dipaca
<http://kdc03.unix.iriszorg.nl:389/o%3Dipaca>) failed
and according to
http://www.freeipa.org/page/Troubleshooting#Replication_issues this
points to a ruv problem.
So let's enumerate.
We had kdc01 replicating to kdc02 (both 6.8).
Then I created a replica from kdc01 to kdc03 (running 7.2).
And from kdc03 to kdc04 (both 7.2).
kdc01 and kdc02 are decommissioned, but kdc02 still shows in both
kdc03 and kdc04:
$ ipa-replica-manage list
kdc02.unix.iriszorg.nl <http://kdc02.unix.iriszorg.nl>: master
kdc03.unix.iriszorg.nl <http://kdc03.unix.iriszorg.nl>: master
kdc04.unix.iriszorg.nl <http://kdc04.unix.iriszorg.nl>: master
and in
$ ipa-csreplica-manage list
Directory Manager password:
kdc02.unix.iriszorg.nl <http://kdc02.unix.iriszorg.nl>: master
kdc03.unix.iriszorg.nl <http://kdc03.unix.iriszorg.nl>: master
kdc04.unix.iriszorg.nl <http://kdc04.unix.iriszorg.nl>: master
>From kdc03:
$ ldapsearch -Z -h kdc04.unix.iriszorg.nl
<http://kdc04.unix.iriszorg.nl> -D "cn=Directory Manager" -W -b
"o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"
Enter LDAP Password:
nsDS5ReplicaId: 1095
nsds50ruv: {replicageneration} 50c1015c000000600000
nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389
<http://kdc04.unix.iriszorg.nl:389>} 57e4d75a0000044700
nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389
<http://kdc03.unix.iriszorg.nl:389>} 57e23f66000000420000
nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389
<http://kdc01.unix.iriszorg.nl:7389>} 50c1016c00000060000
nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389
<http://kdc03.unix.iriszorg.nl:389>} 57e140c7000000470000
nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389
<http://kdc02.unix.iriszorg.nl:7389>} 50c1016800000061000
and from kdc04:
# ldapsearch -Z -h kdc04.unix.iriszorg.nl
<http://kdc04.unix.iriszorg.nl> -D "cn=Directory Manager" -W -b
"o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"
Enter LDAP Password:
nsDS5ReplicaId: 1095
nsds50ruv: {replicageneration} 50c1015c000000600000
nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389
<http://kdc04.unix.iriszorg.nl:389>} 57e4d75a0000044700
nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389
<http://kdc03.unix.iriszorg.nl:389>} 57e23f66000000420000
nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389
<http://kdc01.unix.iriszorg.nl:7389>} 50c1016c00000060000
nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389
<http://kdc03.unix.iriszorg.nl:389>} 57e140c7000000470000
nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389
<http://kdc02.unix.iriszorg.nl:7389>} 50c1016800000061000
So now I have to run a clen ruv task like this (as seen in
https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html):
# ldapmodify -ZZ -D "cn=directory manager" -W -a
dn: cn=clean 13, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: o=ipaca
replica-id: 13
cn: clean 13
And in my example, the replica id would be 66, 96, 71 and 97, correct?
no, I don't think so. you searched 2 times the same host "-h
kdc04.unix.iriszorg.nl <http://kdc04.unix.iriszorg.nl>".
you need to search on kdc03 to find the current replicaid of kdc03 and
you have to keep it.
Thanks for confirming this, never done it before.
--
Groeten,
natxo
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric
Shander
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
