Things have been working better (so far) after taking some steps I read here:

On Mon, Oct 10, 2016 at 6:48 PM, Fil Di Noto <> wrote:
> After an IPA server is re-initialized it immediately begins failing
> incremental updates. I checked the kerberos logs and things appear to
> be ok there, I can manually test LDAP from all servers against all
> other servers.
> There is an DS5ReplicaBindDN entry in "dn:
> cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for
> an IPA server that no longer exists. But all IPA living servers have
> an entry for all other living servers.
> There is the correct number of cn=master, and cn=ca, and the
> caRenewalMaster is set on the correct master.
>  "ipa-replica-manage del --force --clean <server>" does not remove the entry.
> There were some RUV from the old servers also and I cleaned them. The
> man page says if a clean is run on the wrong ID then the server should
> be re-initialized, so I just did that on purpose and re-initialized
> the one of the servers and that has cleared the NSMMReplicationPlugin
> error (so far) but I am still getting the attrlist_replace error.
> I'm getting no indication of kerberos problems.Could it be the
> NSACLPlugin ? It preceeds the other error every time but that is
> probably just regular startup procedure, and having an ACL for
> something that doesn't exist doesn't feel like a fatal error to me. I
> didn't do the KRA install.
> [root@ipa05 slapd-example-com]# tail -f errors
> [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=example,dc=com does not exist
> [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target
> cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not
> exist
> [10/Oct/2016:23:27:57 +0000] agmt=""
> (ipa07:389) - Can't locate CSN 57fc2e7f000a000d0000 in the changelog
> (DB rc=-30988). If replication stops, the consumer may need to be
> reinitialized.
> [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - changelog program
> - agmt="" (ipa07:389): CSN
> 57fc2e7f000a000d0000 not found, we aren't as up to date, or we purged
> [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin -
> agmt="" (ipa07:389): Data required to update
> replica has been purged. The replica must be reinitialized.
> [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin -
> agmt="" (ipa07:389): Incremental update failed
> and requires administrator action
> [10/Oct/2016:23:29:09 +0000] attrlist_replace - attr_replace
> (nsslapd-referral, ldap:// failed.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to