On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz <lkris...@redhat.com> wrote:
> > On 09/26/2016 01:36 PM, Natxo Asenjo wrote: > > hi, > > I recently upgraded a centos 6.8 realm to centos 7.2 and it almost went > correctly. > > Now I see some errors in /var/log/dirsrv/slapd-INSTANCENAME/errors > > 26/Sep/2016:13:20:15 +0200] attrlist_replace - attr_replace > (nsslapd-referral, ldap://kdc03.unix.iriszorg.nl:389/o%3Dipaca) failed > > and according to http://www.freeipa.org/page/Troubleshooting#Replication_ > issues this points to a ruv problem. > > So let's enumerate. > > We had kdc01 replicating to kdc02 (both 6.8). > > Then I created a replica from kdc01 to kdc03 (running 7.2). > > And from kdc03 to kdc04 (both 7.2). > > kdc01 and kdc02 are decommissioned, but kdc02 still shows in both kdc03 > and kdc04: > > $ ipa-replica-manage list > kdc02.unix.iriszorg.nl: master > kdc03.unix.iriszorg.nl: master > kdc04.unix.iriszorg.nl: master > > and in > > $ ipa-csreplica-manage list > Directory Manager password: > kdc02.unix.iriszorg.nl: master > kdc03.unix.iriszorg.nl: master > kdc04.unix.iriszorg.nl: master > > > >From kdc03: > $ ldapsearch -Z -h kdc04.unix.iriszorg.nl -D "cn=Directory Manager" -W -b > "o=ipaca" > "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" > | grep "nsds50ruv\|nsDS5ReplicaId" > Enter LDAP Password: > nsDS5ReplicaId: 1095 > nsds50ruv: {replicageneration} 50c1015c000000600000 > nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389} > 57e4d75a0000044700 > nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389} > 57e23f66000000420000 > nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389} > 50c1016c00000060000 > nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389} > 57e140c7000000470000 > nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389} > 50c1016800000061000 > > and from kdc04: > > # ldapsearch -Z -h kdc04.unix.iriszorg.nl -D "cn=Directory Manager" -W -b > "o=ipaca" > "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" > | grep "nsds50ruv\|nsDS5ReplicaId" > Enter LDAP Password: > nsDS5ReplicaId: 1095 > nsds50ruv: {replicageneration} 50c1015c000000600000 > nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389} > 57e4d75a0000044700 > nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389} > 57e23f66000000420000 > nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389} > 50c1016c00000060000 > nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389} > 57e140c7000000470000 > nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389} > 50c1016800000061000 > > > So now I have to run a clen ruv task like this (as seen in > https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html): > > # ldapmodify -ZZ -D "cn=directory manager" -W -a > dn: cn=clean 13, cn=cleanallruv, cn=tasks, cn=config > objectclass: extensibleObject > replica-base-dn: o=ipaca > replica-id: 13 > cn: clean 13 > > > And in my example, the replica id would be 66, 96, 71 and 97, correct? > > no, I don't think so. you searched 2 times the same host "-h > kdc04.unix.iriszorg.nl". > you need to search on kdc03 to find the current replicaid of kdc03 and you > have to keep it. > yes, you are right :( $ ldapsearch -Z -h kdc03.unix.iriszorg.nl -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" Enter LDAP Password: nsDS5ReplicaId: 66 nsds50ruv: {replicageneration} 50c1015c000000600000 nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389} 57e23f66000000420000 nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389} 57e4d75a0000044700 nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389} 50c1016c00000060000 nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389} 57e140c7000000470000 nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389} 50c1016800000061000 so I need to keep 66 and 1095, and run the task on 96, 71 and 97, it would seem. Thanks for spotting my error. -- regards, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project