Standa Laznicka wrote:
You can, but you probably won't be able to install a CA replica on
them (you have to leave out the --setup-ca option). In the meantime,
you can create replicas without CA replication and when the Dogtag/DS
guys solve the problem, you can run ipa-ca-install on those to setup
CA replication there as well.
Appreciate the attention this is getting!
My testing from yesterday shows that all replication is broken for me
due to this 'replication manager' user not existing in LDAP so I may be
hit by something in addition to the dogtag issue
I have two servers that are out of sync with each other
- Manual force update fails
- Manual re-initialization fails
- Installing a new IPA server without CA-service claims to work but no
actual updates transfer
As far as I can tell all of the failures are due to an LDAP access issue
where the logs talk about a replication-agreement-specific LDAP user not
existing.
Example From Replica:
# ipa-replica-manage -v re-initialize --from usaeilidmp001.redactedidm.org
ipa: INFO: Setting agreement
cn=meTousaeilidmp002.redactedidm.org,cn=replica,cn=dc\=redactedidm\,dc\=org,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement
cn=meTousaeilidmp002.redactedidm.org,cn=replica,cn=dc\=redactedidm\,dc\=org,cn=mapping
tree,cn=config
Update in progress, 14 seconds elapsed
# [usaeilidmp001.redactedidm.org] reports: Update failed! Status: [-2 -
LDAP error: Local error]
dirsirv error logs from Master:
04/May/2017:12:20:08.531621754 +0000] slapi_ldap_bind - Error: could not
bind id [cn=Replication Manager
cloneAgreement1-usaeilidmp002.redactedidm.org-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object) errno 0
(Success)
[04/May/2017:12:20:10.071619724 +0000] slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager
cloneAgreement1-deawilidmp001.redactedidm.org-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object) errno 0
(Success)
[04/May/2017:12:20:11.074340742 +0000] set_krb5_creds - Could not get
initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not
found)
[04/May/2017:12:20:35.078730934 +0000] set_krb5_creds - Could not get
initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not
found)
[04/May/2017:12:21:23.083737475 +0000] set_krb5_creds - Could not get
initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not
found)
Regards,
Chris
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
