Re: [Freeipa-users] secondary out of sync on DNS again [solved]

2017-01-11 Thread Outback Dingo
working through it slowly now... :)


On Wed, Jan 11, 2017 at 11:22 AM, Martin Basti  wrote:
> Have you tried the ldapsearch from the guide I sent you?
>
>
>
> On 11.01.2017 17:03, Outback Dingo wrote:
>>
>> I am still seeing this, and the same message about LDAP
>>
>>   ./ipa_check_consistency -H
>> ipa2.optimcloud.com -d OPTIMCLOUD.COM
>> Directory Manager password:
>> FreeIPA servers:ipa2STATE
>> =
>> Active Users1   OK
>> Stage Users 0   OK
>> Preserved Users 0   OK
>> User Groups 4   OK
>> Hosts   8   OK
>> Host Groups 2   OK
>> HBAC Rules  1   OK
>> SUDO Rules  0   OK
>> DNS Zones   26  OK
>> LDAP Conflicts  YES FAIL
>> Ghost Replicas  NO  OK
>> Anonymous BIND  YES OK
>> Replication Status  ipa 0
>> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: LDAP data for
>> instance 'ipa' are being synchronized, please ignore message 'all
>> zones loaded'
>> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: bug in
>> dn_to_dnsname(): multi-valued RDNs are not supported
>> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: failed to
>> convert DN
>> 'idnsname=store+nsuniqueid=44fbbd0e-d80a11e6-ad7498e5-1ca0119b,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com'
>> to DNS name: not implemented
>> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]:
>> ldap_sync_search_entry failed: not implemented
>> Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone
>> 150.217.162.in-addr.arpa/IN: loaded serial 1484150526
>> Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone
>> optimvoice.co/IN: loaded serial 1484150526
>> Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone
>> optimcloud.com/IN: loaded serial 1484150526
>>
>> On Wed, Jan 11, 2017 at 10:56 AM, Martin Basti  wrote:
>>>
>>> Great :)
>>>
>>>
>>> On 11.01.2017 16:52, Outback Dingo wrote:

 damn... DMARC record removed, now synced

 On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti 
 wrote:
>
> Please try to create a new test user if it is replicated to other
> replicas.
>
>
> I see repl. conflicts please try to investigate them, it may cause a
> missing
> zone
>
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>
>
> could you check what do you have in journalctl -u named-pkcs11 on
> replica
> with missing entries?
>
> Martin
>
>
> On 11.01.2017 16:27, Outback Dingo wrote:
>>
>> Not realliy, not like last time but
>> [root@ipa2 ~]# cd ipa_check_consistency/
>> [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H
>> ipa2.optimcloud.com -d OPTIMCLOUD.COM
>> Directory Manager password:
>> FreeIPA servers:ipa2STATE
>> =
>> Active Users1   OK
>> Stage Users 0   OK
>> Preserved Users 0   OK
>> User Groups 4   OK
>> Hosts   8   OK
>> Host Groups 2   OK
>> HBAC Rules  1   OK
>> SUDO Rules  0   OK
>> DNS Zones   26  OK
>> LDAP Conflicts  YES FAIL
>> Ghost Replicas  NO  OK
>> Anonymous BIND  YES OK
>> Replication Status  ipa 0
>>
>>
>>
>> [07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling
>> operation threads - op stack size 1 max work q size 3 max work q stack
>> size 3
>> [07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting
>> for 26 threads to terminate
>> [08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request
>> to SVRCore. You may need to run systemd-tty-ask-password-agent to
>> provide the password.
>> [08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security
>> Initialization: Enabling default cipher set.
>> [08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS
>> Ciphers
>> [08/Jan/2017:00:01:43.350819261 -0500] SSL alert:
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
>> [08/Jan/2017:00:01:43.352925341 -0500] SSL alert:
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
>> [08/Jan/2017:00:01:43.354043098 -0500] SSL alert:
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
>> [08/Jan/2017:00:01:43.354944795 -0500] SSL alert:
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
>> [08/Jan/2017:00:01:43.355929413 -0500] SSL alert:
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
>> [08/Jan/2017:00:01:43.356793063 -0500] SSL alert:
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
>> [08/Jan/2017:00:01:43.357650823 -0500] SSL alert:
>> 

Re: [Freeipa-users] secondary out of sync on DNS again [solved]

2017-01-11 Thread Martin Basti

Have you tried the ldapsearch from the guide I sent you?


On 11.01.2017 17:03, Outback Dingo wrote:

I am still seeing this, and the same message about LDAP

  ./ipa_check_consistency -H
ipa2.optimcloud.com -d OPTIMCLOUD.COM
Directory Manager password:
FreeIPA servers:ipa2STATE
=
Active Users1   OK
Stage Users 0   OK
Preserved Users 0   OK
User Groups 4   OK
Hosts   8   OK
Host Groups 2   OK
HBAC Rules  1   OK
SUDO Rules  0   OK
DNS Zones   26  OK
LDAP Conflicts  YES FAIL
Ghost Replicas  NO  OK
Anonymous BIND  YES OK
Replication Status  ipa 0
Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: LDAP data for
instance 'ipa' are being synchronized, please ignore message 'all
zones loaded'
Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: bug in
dn_to_dnsname(): multi-valued RDNs are not supported
Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: failed to
convert DN 
'idnsname=store+nsuniqueid=44fbbd0e-d80a11e6-ad7498e5-1ca0119b,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com'
to DNS name: not implemented
Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]:
ldap_sync_search_entry failed: not implemented
Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone
150.217.162.in-addr.arpa/IN: loaded serial 1484150526
Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone
optimvoice.co/IN: loaded serial 1484150526
Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone
optimcloud.com/IN: loaded serial 1484150526

On Wed, Jan 11, 2017 at 10:56 AM, Martin Basti  wrote:

Great :)


On 11.01.2017 16:52, Outback Dingo wrote:

damn... DMARC record removed, now synced

On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti  wrote:

Please try to create a new test user if it is replicated to other
replicas.


I see repl. conflicts please try to investigate them, it may cause a
missing
zone


https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html


could you check what do you have in journalctl -u named-pkcs11 on replica
with missing entries?

Martin


On 11.01.2017 16:27, Outback Dingo wrote:

Not realliy, not like last time but
[root@ipa2 ~]# cd ipa_check_consistency/
[root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H
ipa2.optimcloud.com -d OPTIMCLOUD.COM
Directory Manager password:
FreeIPA servers:ipa2STATE
=
Active Users1   OK
Stage Users 0   OK
Preserved Users 0   OK
User Groups 4   OK
Hosts   8   OK
Host Groups 2   OK
HBAC Rules  1   OK
SUDO Rules  0   OK
DNS Zones   26  OK
LDAP Conflicts  YES FAIL
Ghost Replicas  NO  OK
Anonymous BIND  YES OK
Replication Status  ipa 0



[07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling
operation threads - op stack size 1 max work q size 3 max work q stack
size 3
[07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting
for 26 threads to terminate
[08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request
to SVRCore. You may need to run systemd-tty-ask-password-agent to
provide the password.
[08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security
Initialization: Enabling default cipher set.
[08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers
[08/Jan/2017:00:01:43.350819261 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.352925341 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.354043098 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.354944795 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.355929413 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.356793063 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.357650823 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.358754848 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.359655681 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.360741758 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.361650705 -0500] SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.362718051 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.363594439 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.365599343 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.366719360 -0500] 

Re: [Freeipa-users] secondary out of sync on DNS again [solved]

2017-01-11 Thread Martin Basti


Great :)


On 11.01.2017 16:52, Outback Dingo wrote:

damn... DMARC record removed, now synced

On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti  wrote:

Please try to create a new test user if it is replicated to other replicas.


I see repl. conflicts please try to investigate them, it may cause a missing
zone

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html


could you check what do you have in journalctl -u named-pkcs11 on replica
with missing entries?

Martin


On 11.01.2017 16:27, Outback Dingo wrote:

Not realliy, not like last time but
[root@ipa2 ~]# cd ipa_check_consistency/
[root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H
ipa2.optimcloud.com -d OPTIMCLOUD.COM
Directory Manager password:
FreeIPA servers:ipa2STATE
=
Active Users1   OK
Stage Users 0   OK
Preserved Users 0   OK
User Groups 4   OK
Hosts   8   OK
Host Groups 2   OK
HBAC Rules  1   OK
SUDO Rules  0   OK
DNS Zones   26  OK
LDAP Conflicts  YES FAIL
Ghost Replicas  NO  OK
Anonymous BIND  YES OK
Replication Status  ipa 0



[07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling
operation threads - op stack size 1 max work q size 3 max work q stack
size 3
[07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting
for 26 threads to terminate
[08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request
to SVRCore. You may need to run systemd-tty-ask-password-agent to
provide the password.
[08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security
Initialization: Enabling default cipher set.
[08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers
[08/Jan/2017:00:01:43.350819261 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.352925341 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.354043098 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.354944795 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.355929413 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.356793063 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.357650823 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.358754848 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.359655681 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.360741758 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.361650705 -0500] SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.362718051 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.363594439 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.365599343 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.366719360 -0500] SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.368835924 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.370913228 -0500] SSL alert:
TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.372972786 -0500] SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.375008604 -0500] SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.377060277 -0500] SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.379147161 -0500] SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.381215466 -0500] SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.410666701 -0500] SSL Initialization - Configured
SSL version range: min: TLS1.0, max: TLS1.2
[08/Jan/2017:00:01:43.412541954 -0500] 389-Directory/1.3.5.10
B2016.341. starting up
[08/Jan/2017:00:01:43.432516181 -0500] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match
[08/Jan/2017:00:01:43.455710217 -0500] WARNING: changelog: entry cache
size 2097152 B is less than db size 4096000 B; We recommend to
increase the entry cache size nsslapd-cachememsize.
[08/Jan/2017:00:01:43.461914913 -0500] Detected Disorderly Shutdown
last time Directory Server was running, recovering database.
[08/Jan/2017:00:01:43.832287548 -0500] schema-compat-plugin -
scheduled schema-compat-plugin tree scan in about 5 seconds after the
server startup!
[08/Jan/2017:00:01:43.857795379 -0500] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=optimcloud,dc=com does not exist
[08/Jan/2017:00:01:43.859681661 -0500] NSACLPlugin - The ACL target

Re: [Freeipa-users] secondary out of sync on DNS again

2017-01-11 Thread Outback Dingo
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 123.100.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 124.100.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 125.100.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 126.100.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 127.100.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 127.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 254.169.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 2.0.192.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 100.51.198.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 113.0.203.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 255.255.255.255.IN-ADDR.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: D.F.IP6.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 8.E.F.IP6.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 9.E.F.IP6.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: A.E.F.IP6.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: B.E.F.IP6.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic
empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]:
/etc/named.conf:12: no forwarders seen; disabling forwarding
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: command
channel listening on 127.0.0.1#953
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: command
channel listening on ::1#953
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]:
managed-keys-zone: journal file is out of date: removing journal file
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]:
managed-keys-zone: loaded serial 45
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: shutting down
automatic empty zones to enable forwarding for domain '.'
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone
0.in-addr.arpa/IN: loaded serial 0
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone
1.0.0.127.in-addr.arpa/IN: loaded serial 0
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone
localhost.localdomain/IN: loaded serial 0
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone
localhost/IN: loaded serial 0
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: all zones loaded
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: running
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: LDAP
configuration for instance 'ipa' synchronized
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: GSSAPI client step 1
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: GSSAPI client step 1
Jan 11 08:45:56 ipa2.optimcloud.com systemd[1]: Started Berkeley
Internet Name Domain (DNS) with native PKCS#11.
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: GSSAPI client step 1
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: GSSAPI client step 2
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: LDAP data for
instance 'ipa' are being synchronized, please ignore message 'all
zones loaded'
Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: failed to
parse RR entry: resource record DN
'idnsname=_dmarc,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com':
data '"v=DMARC1; p=reject; rua=mailto:postmas...@optimcloud.com;
ruf=mailto:ad...@optimcloud.com': unexpected end of input
Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: update_record
(syncrepl) failed, resource record DN
'idnsname=_dmarc,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com'
change type 0x1. Records can be outdated, run `rndc reload`:
unexpected end of input
Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone
150.217.162.in-addr.arpa/IN: loaded serial 1484142357
Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone
150.217.162.in-addr.arpa/IN: sending notifies (serial 1484142357)
Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone
252.91.54.in-addr.arpa/IN: loaded serial 1484142357
Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: error (network
unreachable) resolving 'ipa.optimcloud.com/A/IN':
2001:500:1::803f:235#53
Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: error (network
unreachable) resolving 

Re: [Freeipa-users] secondary out of sync on DNS again

2017-01-11 Thread Martin Basti

Please try to create a new test user if it is replicated to other replicas.


I see repl. conflicts please try to investigate them, it may cause a 
missing zone


https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html


could you check what do you have in journalctl -u named-pkcs11 on 
replica with missing entries?


Martin

On 11.01.2017 16:27, Outback Dingo wrote:

Not realliy, not like last time but
[root@ipa2 ~]# cd ipa_check_consistency/
[root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H
ipa2.optimcloud.com -d OPTIMCLOUD.COM
Directory Manager password:
FreeIPA servers:ipa2STATE
=
Active Users1   OK
Stage Users 0   OK
Preserved Users 0   OK
User Groups 4   OK
Hosts   8   OK
Host Groups 2   OK
HBAC Rules  1   OK
SUDO Rules  0   OK
DNS Zones   26  OK
LDAP Conflicts  YES FAIL
Ghost Replicas  NO  OK
Anonymous BIND  YES OK
Replication Status  ipa 0



[07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling
operation threads - op stack size 1 max work q size 3 max work q stack
size 3
[07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting
for 26 threads to terminate
[08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request
to SVRCore. You may need to run systemd-tty-ask-password-agent to
provide the password.
[08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security
Initialization: Enabling default cipher set.
[08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers
[08/Jan/2017:00:01:43.350819261 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.352925341 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.354043098 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.354944795 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.355929413 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.356793063 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.357650823 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.358754848 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.359655681 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.360741758 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.361650705 -0500] SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.362718051 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.363594439 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.365599343 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.366719360 -0500] SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.368835924 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.370913228 -0500] SSL alert:
TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.372972786 -0500] SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.375008604 -0500] SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.377060277 -0500] SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.379147161 -0500] SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.381215466 -0500] SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.410666701 -0500] SSL Initialization - Configured
SSL version range: min: TLS1.0, max: TLS1.2
[08/Jan/2017:00:01:43.412541954 -0500] 389-Directory/1.3.5.10
B2016.341. starting up
[08/Jan/2017:00:01:43.432516181 -0500] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match
[08/Jan/2017:00:01:43.455710217 -0500] WARNING: changelog: entry cache
size 2097152 B is less than db size 4096000 B; We recommend to
increase the entry cache size nsslapd-cachememsize.
[08/Jan/2017:00:01:43.461914913 -0500] Detected Disorderly Shutdown
last time Directory Server was running, recovering database.
[08/Jan/2017:00:01:43.832287548 -0500] schema-compat-plugin -
scheduled schema-compat-plugin tree scan in about 5 seconds after the
server startup!
[08/Jan/2017:00:01:43.857795379 -0500] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=optimcloud,dc=com does not exist
[08/Jan/2017:00:01:43.859681661 -0500] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=optimcloud,dc=com does not exist
[08/Jan/2017:00:01:43.861398809 -0500] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=optimcloud,dc=com does not exist

Re: [Freeipa-users] secondary out of sync on DNS again

2017-01-11 Thread Outback Dingo
Not realliy, not like last time but
[root@ipa2 ~]# cd ipa_check_consistency/
[root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H
ipa2.optimcloud.com -d OPTIMCLOUD.COM
Directory Manager password:
FreeIPA servers:ipa2STATE
=
Active Users1   OK
Stage Users 0   OK
Preserved Users 0   OK
User Groups 4   OK
Hosts   8   OK
Host Groups 2   OK
HBAC Rules  1   OK
SUDO Rules  0   OK
DNS Zones   26  OK
LDAP Conflicts  YES FAIL
Ghost Replicas  NO  OK
Anonymous BIND  YES OK
Replication Status  ipa 0



[07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling
operation threads - op stack size 1 max work q size 3 max work q stack
size 3
[07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting
for 26 threads to terminate
[08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request
to SVRCore. You may need to run systemd-tty-ask-password-agent to
provide the password.
[08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security
Initialization: Enabling default cipher set.
[08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers
[08/Jan/2017:00:01:43.350819261 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.352925341 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.354043098 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.354944795 -0500] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.355929413 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.356793063 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.357650823 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.358754848 -0500] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.359655681 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.360741758 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.361650705 -0500] SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.362718051 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.363594439 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.365599343 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.366719360 -0500] SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.368835924 -0500] SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.370913228 -0500] SSL alert:
TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[08/Jan/2017:00:01:43.372972786 -0500] SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[08/Jan/2017:00:01:43.375008604 -0500] SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.377060277 -0500] SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[08/Jan/2017:00:01:43.379147161 -0500] SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[08/Jan/2017:00:01:43.381215466 -0500] SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[08/Jan/2017:00:01:43.410666701 -0500] SSL Initialization - Configured
SSL version range: min: TLS1.0, max: TLS1.2
[08/Jan/2017:00:01:43.412541954 -0500] 389-Directory/1.3.5.10
B2016.341. starting up
[08/Jan/2017:00:01:43.432516181 -0500] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match
[08/Jan/2017:00:01:43.455710217 -0500] WARNING: changelog: entry cache
size 2097152 B is less than db size 4096000 B; We recommend to
increase the entry cache size nsslapd-cachememsize.
[08/Jan/2017:00:01:43.461914913 -0500] Detected Disorderly Shutdown
last time Directory Server was running, recovering database.
[08/Jan/2017:00:01:43.832287548 -0500] schema-compat-plugin -
scheduled schema-compat-plugin tree scan in about 5 seconds after the
server startup!
[08/Jan/2017:00:01:43.857795379 -0500] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=optimcloud,dc=com does not exist
[08/Jan/2017:00:01:43.859681661 -0500] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=optimcloud,dc=com does not exist
[08/Jan/2017:00:01:43.861398809 -0500] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=optimcloud,dc=com does not exist
[08/Jan/2017:00:01:43.862632485 -0500] NSACLPlugin - The ACL target
ou=sudoers,dc=optimcloud,dc=com does not exist
[08/Jan/2017:00:01:43.863764066 -0500] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=optimcloud,dc=com does not exist
[08/Jan/2017:00:01:43.864911346 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=optimcloud,dc=com does not exist
[08/Jan/2017:00:01:43.866162668 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=optimcloud,dc=com does not exist

Re: [Freeipa-users] secondary out of sync on DNS again

2017-01-11 Thread Martin Basti



On 11.01.2017 15:32, Outback Dingo wrote:

not sure why, but the secondary freeipa server is out of sync by a
long shot now, missing dns domains and A records... tried
ipa-replica-manage force-sync --from ipa.optimcloud.com

doesnt seem to be working

HELP!



Do you see any errors in /var/log/dirsrv/slapd-*/errors on servers?

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project