On 11/03/2016 09:42 AM, lejeczek wrote: > hi everybody > > my three IPAs have gone haywire, two things I recall: one - one server > was on ScientificL with slightly lower minor version of IPA, two - > another server (of the two identical CEntOSes) had skewed time. > Not all there servers are in time-sync and all run same version of IPA > but replication broke with errors like: > > > $ ipa-replica-manage re-initialize --from rider --force > > .. > [03/Nov/2016:13:21:08 +0000] NSACLPlugin - The ACL target > cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x > does not exist > [03/Nov/2016:13:21:08 +0000] NSACLPlugin - The ACL target > cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x > does not exist > [03/Nov/2016:13:21:09 +0000] agmt="cn=meToswir.xx.xx.xx.xx.x" > (swir:389) - Can't locate CSN 581b120f000500040000 in the changelog > (DB rc=-30988). If replication stops, the consumer may need to be > reinitialized. > [03/Nov/2016:13:21:09 +0000] NSMMReplicationPlugin - changelog program > - agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): CSN > 581b120f000500040000 not found, we aren't as up to date, or we purged > [03/Nov/2016:13:21:09 +0000] NSMMReplicationPlugin - > agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Data required to update > replica has been purged. The replica must be reinitialized. > [03/Nov/2016:13:21:09 +0000] NSMMReplicationPlugin - > agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Incremental update failed > and requires administrator action > > I did dbscan -f /var.../cb941....db on all three servers and greped > but cannot see that 581b120f000500040000 > > where to troubleshoot? What version of 389 do you have:
rpm -qa | grep 389-ds-base Did you check the changelog database for 581b120f000500040000: dbscan -f /var/lib/dirsrv/slapd-INSTANCE/db/changelogdb What about the access logs? Do you see the CSN there? I've seen this issue before where a CSN is missing, which breaks the replication agreements, but the CSN does get added to the changelog after a few seconds. The only way to fix replication is to restart the server, or disable/enable the replication agreements(basically restart them). Thanks, Mark > many thanks. > L > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
