On 11/03/2016 09:42 AM, lejeczek wrote:
> hi everybody
>
> my three IPAs have gone haywire, two things I recall: one - one server
> was on ScientificL with slightly lower minor version of IPA, two -
> another server (of the two identical CEntOSes) had skewed time.
> Not all there servers are in time-sync and all run same version of IPA
> but replication broke with errors like:
>
>
> $ ipa-replica-manage re-initialize --from rider --force
>
> ..
> [03/Nov/2016:13:21:08 +0000] NSACLPlugin - The ACL target
> cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x
> does not exist
> [03/Nov/2016:13:21:08 +0000] NSACLPlugin - The ACL target
> cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x
> does not exist
> [03/Nov/2016:13:21:09 +0000] agmt="cn=meToswir.xx.xx.xx.xx.x"
> (swir:389) - Can't locate CSN 581b120f000500040000 in the changelog
> (DB rc=-30988). If replication stops, the consumer may need to be
> reinitialized.
> [03/Nov/2016:13:21:09 +0000] NSMMReplicationPlugin - changelog program
> - agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): CSN
> 581b120f000500040000 not found, we aren't as up to date, or we purged
> [03/Nov/2016:13:21:09 +0000] NSMMReplicationPlugin -
> agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Data required to update
> replica has been purged. The replica must be reinitialized.
> [03/Nov/2016:13:21:09 +0000] NSMMReplicationPlugin -
> agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Incremental update failed
> and requires administrator action
>
> I did dbscan -f /var.../cb941....db on all three servers and greped
> but cannot see that 581b120f000500040000
>
> where to troubleshoot?
What version of 389 do you have:

rpm -qa | grep 389-ds-base

Did you check the changelog database for 581b120f000500040000:

dbscan -f /var/lib/dirsrv/slapd-INSTANCE/db/changelogdb

What about the access logs?  Do you see the CSN there?

I've seen this issue before where a CSN is missing, which breaks the
replication agreements, but the CSN does get added to the changelog
after a few seconds.  The only way to fix replication is to restart the
server, or disable/enable the replication agreements(basically restart
them).

Thanks,
Mark
> many thanks.
> L
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to