Re: [Freeipa-users] secondary out of sync on DNS again [solved]
working through it slowly now... :) On Wed, Jan 11, 2017 at 11:22 AM, Martin Bastiwrote: > Have you tried the ldapsearch from the guide I sent you? > > > > On 11.01.2017 17:03, Outback Dingo wrote: >> >> I am still seeing this, and the same message about LDAP >> >> ./ipa_check_consistency -H >> ipa2.optimcloud.com -d OPTIMCLOUD.COM >> Directory Manager password: >> FreeIPA servers:ipa2STATE >> = >> Active Users1 OK >> Stage Users 0 OK >> Preserved Users 0 OK >> User Groups 4 OK >> Hosts 8 OK >> Host Groups 2 OK >> HBAC Rules 1 OK >> SUDO Rules 0 OK >> DNS Zones 26 OK >> LDAP Conflicts YES FAIL >> Ghost Replicas NO OK >> Anonymous BIND YES OK >> Replication Status ipa 0 >> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: LDAP data for >> instance 'ipa' are being synchronized, please ignore message 'all >> zones loaded' >> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: bug in >> dn_to_dnsname(): multi-valued RDNs are not supported >> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: failed to >> convert DN >> 'idnsname=store+nsuniqueid=44fbbd0e-d80a11e6-ad7498e5-1ca0119b,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com' >> to DNS name: not implemented >> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: >> ldap_sync_search_entry failed: not implemented >> Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone >> 150.217.162.in-addr.arpa/IN: loaded serial 1484150526 >> Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone >> optimvoice.co/IN: loaded serial 1484150526 >> Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone >> optimcloud.com/IN: loaded serial 1484150526 >> >> On Wed, Jan 11, 2017 at 10:56 AM, Martin Basti wrote: >>> >>> Great :) >>> >>> >>> On 11.01.2017 16:52, Outback Dingo wrote: damn... DMARC record removed, now synced On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti wrote: > > Please try to create a new test user if it is replicated to other > replicas. > > > I see repl. conflicts please try to investigate them, it may cause a > missing > zone > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > > > could you check what do you have in journalctl -u named-pkcs11 on > replica > with missing entries? > > Martin > > > On 11.01.2017 16:27, Outback Dingo wrote: >> >> Not realliy, not like last time but >> [root@ipa2 ~]# cd ipa_check_consistency/ >> [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H >> ipa2.optimcloud.com -d OPTIMCLOUD.COM >> Directory Manager password: >> FreeIPA servers:ipa2STATE >> = >> Active Users1 OK >> Stage Users 0 OK >> Preserved Users 0 OK >> User Groups 4 OK >> Hosts 8 OK >> Host Groups 2 OK >> HBAC Rules 1 OK >> SUDO Rules 0 OK >> DNS Zones 26 OK >> LDAP Conflicts YES FAIL >> Ghost Replicas NO OK >> Anonymous BIND YES OK >> Replication Status ipa 0 >> >> >> >> [07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling >> operation threads - op stack size 1 max work q size 3 max work q stack >> size 3 >> [07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting >> for 26 threads to terminate >> [08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request >> to SVRCore. You may need to run systemd-tty-ask-password-agent to >> provide the password. >> [08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security >> Initialization: Enabling default cipher set. >> [08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS >> Ciphers >> [08/Jan/2017:00:01:43.350819261 -0500] SSL alert: >> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled >> [08/Jan/2017:00:01:43.352925341 -0500] SSL alert: >> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.354043098 -0500] SSL alert: >> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled >> [08/Jan/2017:00:01:43.354944795 -0500] SSL alert: >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.355929413 -0500] SSL alert: >> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled >> [08/Jan/2017:00:01:43.356793063 -0500] SSL alert: >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.357650823 -0500] SSL alert: >>
Re: [Freeipa-users] secondary out of sync on DNS again [solved]
Have you tried the ldapsearch from the guide I sent you? On 11.01.2017 17:03, Outback Dingo wrote: I am still seeing this, and the same message about LDAP ./ipa_check_consistency -H ipa2.optimcloud.com -d OPTIMCLOUD.COM Directory Manager password: FreeIPA servers:ipa2STATE = Active Users1 OK Stage Users 0 OK Preserved Users 0 OK User Groups 4 OK Hosts 8 OK Host Groups 2 OK HBAC Rules 1 OK SUDO Rules 0 OK DNS Zones 26 OK LDAP Conflicts YES FAIL Ghost Replicas NO OK Anonymous BIND YES OK Replication Status ipa 0 Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded' Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: bug in dn_to_dnsname(): multi-valued RDNs are not supported Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: failed to convert DN 'idnsname=store+nsuniqueid=44fbbd0e-d80a11e6-ad7498e5-1ca0119b,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com' to DNS name: not implemented Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: ldap_sync_search_entry failed: not implemented Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone 150.217.162.in-addr.arpa/IN: loaded serial 1484150526 Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone optimvoice.co/IN: loaded serial 1484150526 Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone optimcloud.com/IN: loaded serial 1484150526 On Wed, Jan 11, 2017 at 10:56 AM, Martin Bastiwrote: Great :) On 11.01.2017 16:52, Outback Dingo wrote: damn... DMARC record removed, now synced On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti wrote: Please try to create a new test user if it is replicated to other replicas. I see repl. conflicts please try to investigate them, it may cause a missing zone https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html could you check what do you have in journalctl -u named-pkcs11 on replica with missing entries? Martin On 11.01.2017 16:27, Outback Dingo wrote: Not realliy, not like last time but [root@ipa2 ~]# cd ipa_check_consistency/ [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H ipa2.optimcloud.com -d OPTIMCLOUD.COM Directory Manager password: FreeIPA servers:ipa2STATE = Active Users1 OK Stage Users 0 OK Preserved Users 0 OK User Groups 4 OK Hosts 8 OK Host Groups 2 OK HBAC Rules 1 OK SUDO Rules 0 OK DNS Zones 26 OK LDAP Conflicts YES FAIL Ghost Replicas NO OK Anonymous BIND YES OK Replication Status ipa 0 [07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling operation threads - op stack size 1 max work q size 3 max work q stack size 3 [07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting for 26 threads to terminate [08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security Initialization: Enabling default cipher set. [08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers [08/Jan/2017:00:01:43.350819261 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.352925341 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.354043098 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.354944795 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.355929413 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.356793063 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.357650823 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.358754848 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.359655681 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.360741758 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.361650705 -0500] SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.362718051 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [08/Jan/2017:00:01:43.363594439 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.365599343 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.366719360 -0500]
Re: [Freeipa-users] secondary out of sync on DNS again [solved]
Great :) On 11.01.2017 16:52, Outback Dingo wrote: damn... DMARC record removed, now synced On Wed, Jan 11, 2017 at 10:33 AM, Martin Bastiwrote: Please try to create a new test user if it is replicated to other replicas. I see repl. conflicts please try to investigate them, it may cause a missing zone https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html could you check what do you have in journalctl -u named-pkcs11 on replica with missing entries? Martin On 11.01.2017 16:27, Outback Dingo wrote: Not realliy, not like last time but [root@ipa2 ~]# cd ipa_check_consistency/ [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H ipa2.optimcloud.com -d OPTIMCLOUD.COM Directory Manager password: FreeIPA servers:ipa2STATE = Active Users1 OK Stage Users 0 OK Preserved Users 0 OK User Groups 4 OK Hosts 8 OK Host Groups 2 OK HBAC Rules 1 OK SUDO Rules 0 OK DNS Zones 26 OK LDAP Conflicts YES FAIL Ghost Replicas NO OK Anonymous BIND YES OK Replication Status ipa 0 [07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling operation threads - op stack size 1 max work q size 3 max work q stack size 3 [07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting for 26 threads to terminate [08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security Initialization: Enabling default cipher set. [08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers [08/Jan/2017:00:01:43.350819261 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.352925341 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.354043098 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.354944795 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.355929413 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.356793063 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.357650823 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.358754848 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.359655681 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.360741758 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.361650705 -0500] SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.362718051 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [08/Jan/2017:00:01:43.363594439 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.365599343 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.366719360 -0500] SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.368835924 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [08/Jan/2017:00:01:43.370913228 -0500] SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.372972786 -0500] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.375008604 -0500] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [08/Jan/2017:00:01:43.377060277 -0500] SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.379147161 -0500] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.381215466 -0500] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [08/Jan/2017:00:01:43.410666701 -0500] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [08/Jan/2017:00:01:43.412541954 -0500] 389-Directory/1.3.5.10 B2016.341. starting up [08/Jan/2017:00:01:43.432516181 -0500] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [08/Jan/2017:00:01:43.455710217 -0500] WARNING: changelog: entry cache size 2097152 B is less than db size 4096000 B; We recommend to increase the entry cache size nsslapd-cachememsize. [08/Jan/2017:00:01:43.461914913 -0500] Detected Disorderly Shutdown last time Directory Server was running, recovering database. [08/Jan/2017:00:01:43.832287548 -0500] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [08/Jan/2017:00:01:43.857795379 -0500] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=optimcloud,dc=com does not exist [08/Jan/2017:00:01:43.859681661 -0500] NSACLPlugin - The ACL target
Re: [Freeipa-users] secondary out of sync on DNS again
Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 123.100.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 124.100.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 125.100.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 126.100.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 127.100.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 127.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 254.169.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: D.F.IP6.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 8.E.F.IP6.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 9.E.F.IP6.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: A.E.F.IP6.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: B.E.F.IP6.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: /etc/named.conf:12: no forwarders seen; disabling forwarding Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: command channel listening on 127.0.0.1#953 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: command channel listening on ::1#953 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: managed-keys-zone: journal file is out of date: removing journal file Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: managed-keys-zone: loaded serial 45 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: shutting down automatic empty zones to enable forwarding for domain '.' Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone 0.in-addr.arpa/IN: loaded serial 0 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone localhost.localdomain/IN: loaded serial 0 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone localhost/IN: loaded serial 0 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: all zones loaded Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: running Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: LDAP configuration for instance 'ipa' synchronized Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: GSSAPI client step 1 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: GSSAPI client step 1 Jan 11 08:45:56 ipa2.optimcloud.com systemd[1]: Started Berkeley Internet Name Domain (DNS) with native PKCS#11. Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: GSSAPI client step 1 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: GSSAPI client step 2 Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded' Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: failed to parse RR entry: resource record DN 'idnsname=_dmarc,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com': data '"v=DMARC1; p=reject; rua=mailto:postmas...@optimcloud.com; ruf=mailto:ad...@optimcloud.com': unexpected end of input Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: update_record (syncrepl) failed, resource record DN 'idnsname=_dmarc,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com' change type 0x1. Records can be outdated, run `rndc reload`: unexpected end of input Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone 150.217.162.in-addr.arpa/IN: loaded serial 1484142357 Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone 150.217.162.in-addr.arpa/IN: sending notifies (serial 1484142357) Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone 252.91.54.in-addr.arpa/IN: loaded serial 1484142357 Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'ipa.optimcloud.com/A/IN': 2001:500:1::803f:235#53 Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving
Re: [Freeipa-users] secondary out of sync on DNS again
Please try to create a new test user if it is replicated to other replicas. I see repl. conflicts please try to investigate them, it may cause a missing zone https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html could you check what do you have in journalctl -u named-pkcs11 on replica with missing entries? Martin On 11.01.2017 16:27, Outback Dingo wrote: Not realliy, not like last time but [root@ipa2 ~]# cd ipa_check_consistency/ [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H ipa2.optimcloud.com -d OPTIMCLOUD.COM Directory Manager password: FreeIPA servers:ipa2STATE = Active Users1 OK Stage Users 0 OK Preserved Users 0 OK User Groups 4 OK Hosts 8 OK Host Groups 2 OK HBAC Rules 1 OK SUDO Rules 0 OK DNS Zones 26 OK LDAP Conflicts YES FAIL Ghost Replicas NO OK Anonymous BIND YES OK Replication Status ipa 0 [07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling operation threads - op stack size 1 max work q size 3 max work q stack size 3 [07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting for 26 threads to terminate [08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security Initialization: Enabling default cipher set. [08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers [08/Jan/2017:00:01:43.350819261 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.352925341 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.354043098 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.354944795 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.355929413 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.356793063 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.357650823 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.358754848 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.359655681 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.360741758 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.361650705 -0500] SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.362718051 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [08/Jan/2017:00:01:43.363594439 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.365599343 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.366719360 -0500] SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.368835924 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [08/Jan/2017:00:01:43.370913228 -0500] SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.372972786 -0500] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.375008604 -0500] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [08/Jan/2017:00:01:43.377060277 -0500] SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.379147161 -0500] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.381215466 -0500] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [08/Jan/2017:00:01:43.410666701 -0500] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [08/Jan/2017:00:01:43.412541954 -0500] 389-Directory/1.3.5.10 B2016.341. starting up [08/Jan/2017:00:01:43.432516181 -0500] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [08/Jan/2017:00:01:43.455710217 -0500] WARNING: changelog: entry cache size 2097152 B is less than db size 4096000 B; We recommend to increase the entry cache size nsslapd-cachememsize. [08/Jan/2017:00:01:43.461914913 -0500] Detected Disorderly Shutdown last time Directory Server was running, recovering database. [08/Jan/2017:00:01:43.832287548 -0500] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [08/Jan/2017:00:01:43.857795379 -0500] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=optimcloud,dc=com does not exist [08/Jan/2017:00:01:43.859681661 -0500] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=optimcloud,dc=com does not exist [08/Jan/2017:00:01:43.861398809 -0500] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=optimcloud,dc=com does not exist
Re: [Freeipa-users] secondary out of sync on DNS again
Not realliy, not like last time but [root@ipa2 ~]# cd ipa_check_consistency/ [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H ipa2.optimcloud.com -d OPTIMCLOUD.COM Directory Manager password: FreeIPA servers:ipa2STATE = Active Users1 OK Stage Users 0 OK Preserved Users 0 OK User Groups 4 OK Hosts 8 OK Host Groups 2 OK HBAC Rules 1 OK SUDO Rules 0 OK DNS Zones 26 OK LDAP Conflicts YES FAIL Ghost Replicas NO OK Anonymous BIND YES OK Replication Status ipa 0 [07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling operation threads - op stack size 1 max work q size 3 max work q stack size 3 [07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting for 26 threads to terminate [08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security Initialization: Enabling default cipher set. [08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers [08/Jan/2017:00:01:43.350819261 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.352925341 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.354043098 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.354944795 -0500] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.355929413 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.356793063 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.357650823 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.358754848 -0500] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.359655681 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.360741758 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.361650705 -0500] SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.362718051 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [08/Jan/2017:00:01:43.363594439 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.365599343 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.366719360 -0500] SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.368835924 -0500] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [08/Jan/2017:00:01:43.370913228 -0500] SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Jan/2017:00:01:43.372972786 -0500] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [08/Jan/2017:00:01:43.375008604 -0500] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [08/Jan/2017:00:01:43.377060277 -0500] SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Jan/2017:00:01:43.379147161 -0500] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [08/Jan/2017:00:01:43.381215466 -0500] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [08/Jan/2017:00:01:43.410666701 -0500] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [08/Jan/2017:00:01:43.412541954 -0500] 389-Directory/1.3.5.10 B2016.341. starting up [08/Jan/2017:00:01:43.432516181 -0500] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [08/Jan/2017:00:01:43.455710217 -0500] WARNING: changelog: entry cache size 2097152 B is less than db size 4096000 B; We recommend to increase the entry cache size nsslapd-cachememsize. [08/Jan/2017:00:01:43.461914913 -0500] Detected Disorderly Shutdown last time Directory Server was running, recovering database. [08/Jan/2017:00:01:43.832287548 -0500] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [08/Jan/2017:00:01:43.857795379 -0500] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=optimcloud,dc=com does not exist [08/Jan/2017:00:01:43.859681661 -0500] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=optimcloud,dc=com does not exist [08/Jan/2017:00:01:43.861398809 -0500] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=optimcloud,dc=com does not exist [08/Jan/2017:00:01:43.862632485 -0500] NSACLPlugin - The ACL target ou=sudoers,dc=optimcloud,dc=com does not exist [08/Jan/2017:00:01:43.863764066 -0500] NSACLPlugin - The ACL target cn=users,cn=compat,dc=optimcloud,dc=com does not exist [08/Jan/2017:00:01:43.864911346 -0500] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=optimcloud,dc=com does not exist [08/Jan/2017:00:01:43.866162668 -0500] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=optimcloud,dc=com does not exist
Re: [Freeipa-users] secondary out of sync on DNS again
On 11.01.2017 15:32, Outback Dingo wrote: not sure why, but the secondary freeipa server is out of sync by a long shot now, missing dns domains and A records... tried ipa-replica-manage force-sync --from ipa.optimcloud.com doesnt seem to be working HELP! Do you see any errors in /var/log/dirsrv/slapd-*/errors on servers? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project