After an IPA server is re-initialized it immediately begins failing
incremental updates. I checked the kerberos logs and things appear to
be ok there, I can manually test LDAP from all servers against all
other servers.

There is an DS5ReplicaBindDN entry in "dn:
cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for
an IPA server that no longer exists. But all IPA living servers have
an entry for all other living servers.
There is the correct number of cn=master, and cn=ca, and the
caRenewalMaster is set on the correct master.

 "ipa-replica-manage del --force --clean <server>" does not remove the entry.

There were some RUV from the old servers also and I cleaned them. The
man page says if a clean is run on the wrong ID then the server should
be re-initialized, so I just did that on purpose and re-initialized
the one of the servers and that has cleared the NSMMReplicationPlugin
error (so far) but I am still getting the attrlist_replace error.

I'm getting no indication of kerberos problems.Could it be the
NSACLPlugin ? It preceeds the other error every time but that is
probably just regular startup procedure, and having an ACL for
something that doesn't exist doesn't feel like a fatal error to me. I
didn't do the KRA install.

[root@ipa05 slapd-example-com]# tail -f errors
[10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=example,dc=com does not exist
[10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not
[10/Oct/2016:23:27:57 +0000] agmt=""
(ipa07:389) - Can't locate CSN 57fc2e7f000a000d0000 in the changelog
(DB rc=-30988). If replication stops, the consumer may need to be
[10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - changelog program
- agmt="" (ipa07:389): CSN
57fc2e7f000a000d0000 not found, we aren't as up to date, or we purged
[10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin -
agmt="" (ipa07:389): Data required to update
replica has been purged. The replica must be reinitialized.
[10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin -
agmt="" (ipa07:389): Incremental update failed
and requires administrator action
[10/Oct/2016:23:29:09 +0000] attrlist_replace - attr_replace
(nsslapd-referral, ldap:// failed.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to