My IPA LDAP/CS Master logs errors regularly (every few minutes) that seem o be based upon an attempt to communicate with a replica that no longer exists.
Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:22 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'REALM.LOCAL') Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:45 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/ipa02.realm.local@REALM.LOCAL not found in Kerberos database) The only place I found any references to the server ipa02 is in dse.ldif files in the /etc/dirsrv/slapd-REALM-LOCAL/ folders Quote from dse.ldif: dn: cn=replica,cn=dc\3Drealm\2Cdc\3Dlocal,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=realm,dc=local nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 4 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa02.realm.local@REALM.LOCAL,cn=servi ces,cn=accounts,dc=fbog,dc=local nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-r02.realm.local@REALM.LOCAL,cn=ser vices,cn=accounts,dc=realm,dc=local creatorsName: cn=directory manager modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config createTimestamp: 20130924144354Z modifyTimestamp: 20160225194116Z nsState:: BAAAAAAAAADcWM9WAAAAAAEAAAAAAAAAZQAAAAAAAAADAAAAAAAAAA== nsDS5ReplicaName: a5641a0e-252711e3-96afcc83-6ff9b802 numSubordinates: 1 When I execute "ipa-replica-manage list" from either the master or replica server I get the same response: ipa01.realm.local: master ipa-r02.realm.local: master and when I execute "ipa-csreplica-manage list" from either the master or the replica server I get the same response: ipa01.fbog.local: master ipa-r02.fbog.local: CA not configured I know we are configured in "multi-master" mode and that the CA is only on the master. I would have expected one of these commands to include the "ipa02" server as well since it is in the dse.ldif file. >From an operating perspective, identity management operations (including >signing on to the browser-based interface and updates made one server showing >up on the other) from the replica (ipa-r02) are much faster than from the >master (ipa01). I am intuiting that this is because any task executing on the >replica has only a replica pointer to the master, whereas any operation on the >master that tries to replicate has to timeout on the invalid pointer to >"ipa02" before it can actually communicate with the replica (ipa-r02). Of >course my intuition could be completely wrong and my actual understanding of >how this process works is nil. I would like to clean up this environment, however, before I hand the reins over to the next person on my team. So my question is: What is the best way to remove the invalid pointer without having to disrupt services on the master? Steven Auerbach Systems Administrator State University System of Florida Board of Governors 325 West Gaines Street, Suite 1625C Tallahassee, Florida 32399 (850) 245-9592 steven.auerb...@flbog.edu | www.flbog.edu [BOG-wordmark-wideFOR EMAIL-color]
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project