Standa Laznicka wrote:
You can, but you probably won't be able to install a CA replica on them (you have to leave out the --setup-ca option). In the meantime, you can create replicas without CA replication and when the Dogtag/DS guys solve the problem, you can run ipa-ca-install on those to setup CA replication there as well.


Appreciate the attention this is getting!

My testing from yesterday shows that all replication is broken for me due to this 'replication manager' user not existing in LDAP so I may be hit by something in addition to the dogtag issue

I have two  servers that are out of sync with each other

 - Manual force update fails
 - Manual re-initialization fails
- Installing a new IPA server without CA-service claims to work but no actual updates transfer

As far as I can tell all of the failures are due to an LDAP access issue where the logs talk about a replication-agreement-specific LDAP user not existing.

Example From Replica:

# ipa-replica-manage -v re-initialize --from usaeilidmp001.redactedidm.org
ipa: INFO: Setting agreement cn=meTousaeilidmp002.redactedidm.org,cn=replica,cn=dc\=redactedidm\,dc\=org,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTousaeilidmp002.redactedidm.org,cn=replica,cn=dc\=redactedidm\,dc\=org,cn=mapping tree,cn=config
Update in progress, 14 seconds elapsed

# [usaeilidmp001.redactedidm.org] reports: Update failed! Status: [-2 - LDAP error: Local error]



dirsirv error logs from Master:

04/May/2017:12:20:08.531621754 +0000] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-usaeilidmp002.redactedidm.org-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [04/May/2017:12:20:10.071619724 +0000] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-deawilidmp001.redactedidm.org-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [04/May/2017:12:20:11.074340742 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [04/May/2017:12:20:35.078730934 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [04/May/2017:12:21:23.083737475 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)





Regards,
Chris



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to