Hi,
you don't specify the version you are using:
If it is 389-ds-base-1.3.4.0-33.el7_2.x86_64
the following may apply:
>>>
we have identified an issue with this version, it includes a fix for
389-ds ticket #48766, which was incomplete and resolved shortly after
the release of this version (it is missing the latest patch for #49766
and for #48954).
You can try to go back to 1.3.4.0-32 or if you have support get a hotfix
from our support.
<<<
Sorry for this,
On 10/11/2016 03:48 AM, Fil Di Noto wrote:
After an IPA server is re-initialized it immediately begins failing
incremental updates. I checked the kerberos logs and things appear to
be ok there, I can manually test LDAP from all servers against all
other servers.
There is an DS5ReplicaBindDN entry in "dn:
cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for
an IPA server that no longer exists. But all IPA living servers have
an entry for all other living servers.
There is the correct number of cn=master, and cn=ca, and the
caRenewalMaster is set on the correct master.
"ipa-replica-manage del --force --clean <server>" does not remove the entry.
There were some RUV from the old servers also and I cleaned them. The
man page says if a clean is run on the wrong ID then the server should
be re-initialized, so I just did that on purpose and re-initialized
the one of the servers and that has cleared the NSMMReplicationPlugin
error (so far) but I am still getting the attrlist_replace error.
I'm getting no indication of kerberos problems.Could it be the
NSACLPlugin ? It preceeds the other error every time but that is
probably just regular startup procedure, and having an ACL for
something that doesn't exist doesn't feel like a fatal error to me. I
didn't do the KRA install.
[root@ipa05 slapd-example-com]# tail -f errors
[10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=example,dc=com does not exist
[10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not
exist
[10/Oct/2016:23:27:57 +0000] agmt="cn=meToipa07.example.com"
(ipa07:389) - Can't locate CSN 57fc2e7f000a000d0000 in the changelog
(DB rc=-30988). If replication stops, the consumer may need to be
reinitialized.
[10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - changelog program
- agmt="cn=meToipa07.example.com" (ipa07:389): CSN
57fc2e7f000a000d0000 not found, we aren't as up to date, or we purged
[10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin -
agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update
replica has been purged. The replica must be reinitialized.
[10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin -
agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed
and requires administrator action
[10/Oct/2016:23:29:09 +0000] attrlist_replace - attr_replace
(nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed.
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric
Shander
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
