Hello Ludwig, thanks for the answer,
Am Montag, 24. Oktober 2016, 09:53:21 schrieb Ludwig Krispenz: > On 10/23/2016 03:01 PM, Günther J. Niederwimmer wrote: > > I have added on my ipa (Master) Server this user and ACI with a ldif file > > > > ldapmodify -x -D 'cn=Directory Manager' -W > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > <blank line> > > ^D > > > > dn: cn=users,cn=accounts,dc=example,dc=com > > changetype: modify > > add: aci > > aci: (targetattr="mailAlternateAddress") > > (targetfilter="(objectClass=mailrecipient)") > > > > (version > > 3.0; acl "Allow system account to read mail address"; allow(read, > > search, compare) userdn = > > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > > > > This Ends with a > > modifying entry "cn=users,cn=accounts,dc=example,dc=com" > > these changes are not related to the errors you report below (I would be > really surprised) and you only need to apply them on one server, that's > what replication is good for. > > There are a couple of different types of messages: > - failed to delete changelog record: this is from retro changelog > trimming, when miscalculation of the starting point for trimming starts > with changenumber lower than what's in the retro changelog. > In my experience this can happen after a crash/kill/reboot and should > stop after som time OK, nothing to do ;-). > - attrlist_replace errors: looks like you have recreated a replica on a > machine and not cleaned the RUV, please see: > http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records I don't have add or remove a replica ? this two servers running now I mean over three month ? The last I remember I add a 3rd Party Certificate ? but I don't found before so much Errors :-(. Is there a possible way to check a freeIPA Installation, to find out for a "normal" user to have a consistent System ? > - keep-alive already exists: this is also an indication of a new > replica, the keep alive entry was in the database, but the supplier > tries to send it again, this should also disappear once some real > changes from replica 4 are replicated > > > but now I have on the changed master this 100... Errors > > > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 396504 (rc: 32) > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 396505 (rc: 32) > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 396506 (rc: 32) > > [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep > > alive > > entry <cn=repl keep alive 4,dc=example,dc=com> already exists > > > > and on the replica (Master) this 1000....Errors > > > > [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 240846 (rc: 32) > > What is wrong with my changes, or have I to add my changes also on the > > Replicas ? > > > > Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project