[Freeipa-users] Re: Replication Error
On 03.10.20 09:07, Ronald Wimmer via FreeIPA-users wrote: On 02.10.20 17:54, Florence Blanc-Renaud via FreeIPA-users wrote: On 10/2/20 12:06 PM, Ronald Wimmer via FreeIPA-users wrote: On 02.10.20 11:43, Florence Blanc-Renaud wrote: On 10/2/20 9:56 AM, Ronald Wimmer via FreeIPA-users wrote: By coincidence I found something in /var/log/messages that does not look too good: Oct 2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]: [02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at" (pipa06:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. The error seems to persist. What has do be done? Do i have to uninstall ipa replica and do an ipa-replica-install agein? Hi, depending on your domain level, you can use either - ipa-replica-manage re-initialize and ipa-csreplica-manage reinitialize (domain-level 0) [1] or - ipa topologysegment-reinitialize (domain level 1). For more information refer to "ipa help topologysegment-reinitialize". The command "ipa domainlevel-get" will provide you with the current domain level. The reinitialize command forces a full synchronization of the content from the specified source to the replica. My domain level is 1. ipa topologysuffix-find --- 2 topology suffixes matched --- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=linux,dc=mydomain,dc=at Number of entries returned 2 ipa topologysegment-find [...] Segment name: pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at Left node: pipa02.linux.mydomain.at Right node: pipa06.linux.mydomain.at Connectivity: both [...] ipa topologysuffix-find --- 2 topology suffixes matched --- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=linux,dc=mydomain,dc=at Number of entries returned 2 [root@pipa02 ~]# ipa topologysegment-reinitialize Suffix name: domain Segment name: pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at ipa: ERROR: left or right node has to be specified [root@pipa02 ~]# ipa topologysegment-reinitialize Suffix name: domain Segment name: pipa06.linux.mydomain.at ipa: ERROR: no such entry What am I doing wrong? Hi, you need to specify either --left or --right to tell which side needs to be reinitialized: # ipa help topologysegment-reinitialize Usage: ipa [global-options] topologysegment-reinitialize TOPOLOGYSUFFIX NAME [options] Request a full re-initialization of the node retrieving data from the other node. Options: -h, --help show this help message and exit --left Initialize left node --right Initialize right node --stop Stop already started refresh of chosen node(s) I would advise to make a backup first, just in case you pick the wrong side... I must have made a typo when I tried the re-initialization last time. Issuing the re-initialization command ipa topologysegment-reinitialize --left Suffix name: domain Segment name: pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at worked. However, I still get the error in the logs: Nov 25 11:54:55 pipa02.linux.mydomain.at ns-slapd[3627]: [25/Nov/2020:11:54:55.359818393 +0100] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at" (pipa06:389): CSN 5ed7493d00010019 not found, we aren't as up to date, or we purged Nov 25 11:54:55 pipa02.linux.mydomain.at ns-slapd[3627]: [25/Nov/2020:11:54:55.360940111 +0100] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at" (pipa06:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. What should i do? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Replication Error
On 02.10.20 17:54, Florence Blanc-Renaud via FreeIPA-users wrote: On 10/2/20 12:06 PM, Ronald Wimmer via FreeIPA-users wrote: On 02.10.20 11:43, Florence Blanc-Renaud wrote: On 10/2/20 9:56 AM, Ronald Wimmer via FreeIPA-users wrote: By coincidence I found something in /var/log/messages that does not look too good: Oct 2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]: [02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at" (pipa06:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. The error seems to persist. What has do be done? Do i have to uninstall ipa replica and do an ipa-replica-install agein? Hi, depending on your domain level, you can use either - ipa-replica-manage re-initialize and ipa-csreplica-manage reinitialize (domain-level 0) [1] or - ipa topologysegment-reinitialize (domain level 1). For more information refer to "ipa help topologysegment-reinitialize". The command "ipa domainlevel-get" will provide you with the current domain level. The reinitialize command forces a full synchronization of the content from the specified source to the replica. My domain level is 1. ipa topologysuffix-find --- 2 topology suffixes matched --- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=linux,dc=mydomain,dc=at Number of entries returned 2 ipa topologysegment-find [...] Segment name: pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at Left node: pipa02.linux.mydomain.at Right node: pipa06.linux.mydomain.at Connectivity: both [...] ipa topologysuffix-find --- 2 topology suffixes matched --- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=linux,dc=mydomain,dc=at Number of entries returned 2 [root@pipa02 ~]# ipa topologysegment-reinitialize Suffix name: domain Segment name: pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at ipa: ERROR: left or right node has to be specified [root@pipa02 ~]# ipa topologysegment-reinitialize Suffix name: domain Segment name: pipa06.linux.mydomain.at ipa: ERROR: no such entry What am I doing wrong? Hi, you need to specify either --left or --right to tell which side needs to be reinitialized: # ipa help topologysegment-reinitialize Usage: ipa [global-options] topologysegment-reinitialize TOPOLOGYSUFFIX NAME [options] Request a full re-initialization of the node retrieving data from the other node. Options: -h, --help show this help message and exit --left Initialize left node --right Initialize right node --stop Stop already started refresh of chosen node(s) I would advise to make a backup first, just in case you pick the wrong side... That does not solve the problem. The error I get is "ipa: ERROR: no such entry". ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Replication Error
On 10/2/20 12:06 PM, Ronald Wimmer via FreeIPA-users wrote: On 02.10.20 11:43, Florence Blanc-Renaud wrote: On 10/2/20 9:56 AM, Ronald Wimmer via FreeIPA-users wrote: By coincidence I found something in /var/log/messages that does not look too good: Oct 2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]: [02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at" (pipa06:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. The error seems to persist. What has do be done? Do i have to uninstall ipa replica and do an ipa-replica-install agein? Hi, depending on your domain level, you can use either - ipa-replica-manage re-initialize and ipa-csreplica-manage reinitialize (domain-level 0) [1] or - ipa topologysegment-reinitialize (domain level 1). For more information refer to "ipa help topologysegment-reinitialize". The command "ipa domainlevel-get" will provide you with the current domain level. The reinitialize command forces a full synchronization of the content from the specified source to the replica. My domain level is 1. ipa topologysuffix-find --- 2 topology suffixes matched --- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=linux,dc=mydomain,dc=at Number of entries returned 2 ipa topologysegment-find [...] Segment name: pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at Left node: pipa02.linux.mydomain.at Right node: pipa06.linux.mydomain.at Connectivity: both [...] ipa topologysuffix-find --- 2 topology suffixes matched --- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=linux,dc=mydomain,dc=at Number of entries returned 2 [root@pipa02 ~]# ipa topologysegment-reinitialize Suffix name: domain Segment name: pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at ipa: ERROR: left or right node has to be specified [root@pipa02 ~]# ipa topologysegment-reinitialize Suffix name: domain Segment name: pipa06.linux.mydomain.at ipa: ERROR: no such entry What am I doing wrong? Hi, you need to specify either --left or --right to tell which side needs to be reinitialized: # ipa help topologysegment-reinitialize Usage: ipa [global-options] topologysegment-reinitialize TOPOLOGYSUFFIX NAME [options] Request a full re-initialization of the node retrieving data from the other node. Options: -h, --help show this help message and exit --left Initialize left node --right Initialize right node --stop Stop already started refresh of chosen node(s) I would advise to make a backup first, just in case you pick the wrong side... flo Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Replication Error
On 02.10.20 11:43, Florence Blanc-Renaud wrote: On 10/2/20 9:56 AM, Ronald Wimmer via FreeIPA-users wrote: By coincidence I found something in /var/log/messages that does not look too good: Oct 2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]: [02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at" (pipa06:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. The error seems to persist. What has do be done? Do i have to uninstall ipa replica and do an ipa-replica-install agein? Hi, depending on your domain level, you can use either - ipa-replica-manage re-initialize and ipa-csreplica-manage reinitialize (domain-level 0) [1] or - ipa topologysegment-reinitialize (domain level 1). For more information refer to "ipa help topologysegment-reinitialize". The command "ipa domainlevel-get" will provide you with the current domain level. The reinitialize command forces a full synchronization of the content from the specified source to the replica. My domain level is 1. ipa topologysuffix-find --- 2 topology suffixes matched --- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=linux,dc=mydomain,dc=at Number of entries returned 2 ipa topologysegment-find [...] Segment name: pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at Left node: pipa02.linux.mydomain.at Right node: pipa06.linux.mydomain.at Connectivity: both [...] ipa topologysuffix-find --- 2 topology suffixes matched --- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=linux,dc=mydomain,dc=at Number of entries returned 2 [root@pipa02 ~]# ipa topologysegment-reinitialize Suffix name: domain Segment name: pipa02.linux.mydomain.at-to-pipa06.linux.mydomain.at ipa: ERROR: left or right node has to be specified [root@pipa02 ~]# ipa topologysegment-reinitialize Suffix name: domain Segment name: pipa06.linux.mydomain.at ipa: ERROR: no such entry What am I doing wrong? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Replication Error
On 10/2/20 9:56 AM, Ronald Wimmer via FreeIPA-users wrote: By coincidence I found something in /var/log/messages that does not look too good: Oct 2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]: [02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=pipa02.linux.oebb.at-to-pipa06.linux.mydomain.at" (pipa06:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. The error seems to persist. What has do be done? Do i have to uninstall ipa replica and do an ipa-replica-install agein? Hi, depending on your domain level, you can use either - ipa-replica-manage re-initialize and ipa-csreplica-manage reinitialize (domain-level 0) [1] or - ipa topologysegment-reinitialize (domain level 1). For more information refer to "ipa help topologysegment-reinitialize". The command "ipa domainlevel-get" will provide you with the current domain level. The reinitialize command forces a full synchronization of the content from the specified source to the replica. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#initialize Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Replication error
You can try to force a re-init from the broken server: # kinit admin # ipa-replica-manage re-initialize --from workinghost1.example.com On 06/05/2017 11:07 AM, Bret Wortman via FreeIPA-users wrote: I've also just realized that replication appears to have ceased; I have entries in some IPA servers but not all. [root@zsipa ~]# ipa-replica-manage list Directory Manager password: zsipa.damascusgrp.com: master zsipa2.damascusgrp.com: master zsipa3.damascusgrp.com: master [root@zsipa ~]# ipa-replica-manage list zsipa.damascusgrp.com Directory Manager password: zsipa3.damascusgrp.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (19) Replication error acquiring replica: Replica has different database generation ID, remote replica may need to be initialized (RUV error) last update ended: 1970-01-01 00:00:00+00:00 [root@zsipa ~]# Only zsipa3 is listed as a replica anywhere, and it's not a functioning one. I can set up replication between zsipa and zsipa2, but is there a good way to bring zsipa3 back in line as well? The background is that we attempted to do a rolling update of our IPA servers by bringing in a new server, zsipa2, and then upgrading each of the other two from Fedora to Centos 7 and then initialized them as replicas of zsipa2. But apparently, this didn't work as we had thought. So add replication errors to the certificate issue I'm still trying to run to ground. -- *Bret Wortman* Damascus Products ph/fax: 1-855-644-2783 Wrap Buddies now available for preorder! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
