Re: [Freeipa-users] IPA Servers out of sync - DNS records
Hi, I think we can explain it. Is it possible that you were running 389-ds-base-1.3.4.0-33.el7_2.x86_64.rpm release ? >From the string: 389-Directory/1.3.4.0 B2016.215.1556 it seems to me that corresponds to rpm -qi -p 389-ds-base-1.3.4.0-33.el7_2.x86_64.rpm | grep -i ^signature Signature : RSA/SHA256, Tue 26 Jul 2016 04:49:26 AM CEST, Key ID 199e2f91fd431d51 This release includes a very harmful replication bug that manifests with this error message, that we can see in your logs: [20/Dec/2016:22:50:14 -0500] agmt="cn=meToipa2.optimcloud.com" (ipa2:389) - Can't locate CSN 58528dac00020004 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. And the replicas are out of sync + replication stopped. It's explained in this article: https://access.redhat.com/solutions/2690611 IdM/IPA LDAP and Red Hat Directory Server/RHDS replication halt, error Can't locate CSN number in the changelog (DB rc=-30988) You update to 7.3 has the fix for that bug included. regards, German. On Tue, Dec 27, 2016 at 1:21 PM, Outback Dingo wrote: > > According to log, it looks that replication has been restored a week ago > > > > can you use https://github.com/peterpakos/ipa_check_consistency to check > > what else is missing? > > > > If it finds missing entries, probably re-initialization will be needed > > > > Martin > > > really odd... i just did a yum update -y during our conversation on > both servers, now ipa2 is synced again... > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Servers out of sync - DNS records
> According to log, it looks that replication has been restored a week ago > > can you use https://github.com/peterpakos/ipa_check_consistency to check > what else is missing? > > If it finds missing entries, probably re-initialization will be needed > > Martin really odd... i just did a yum update -y during our conversation on both servers, now ipa2 is synced again... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Servers out of sync - DNS records
On 27.12.2016 12:55, Outback Dingo wrote: On Tue, Dec 27, 2016 at 6:47 AM, Martin Basti wrote: On 27.12.2016 12:40, Outback Dingo wrote: On Tue, Dec 27, 2016 at 5:59 AM, Martin Basti wrote: On 27.12.2016 00:25, Outback Dingo wrote: Seems my secondary ipa server is somehow out of sync with the master, is there any way to force a sync update ? Can you elaborate more? What exactly from DNS records is out of sync? Martin it appears as though at least one A record is missing there might be more but thats the first i noticed Can you please search for replication conflicts https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html and do you have any replication errors in /var/log/dirsrv/slapd-*/errors log on servers? Martin from the master ipa [root@ipa dingo]# cat /var/log/dirsrv/slapd-*/errors 389-Directory/1.3.4.0 B2016.215.1556 ipa.optimcloud.com:636 (/etc/dirsrv/slapd-OPTIMCLOUD-COM) [20/Dec/2016:22:38:51 -0500] - SSL alert: Configured NSS Ciphers [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [20/Dec/2016:22:38:51 -0500] - 389-Directory/1.3.4.0 B2016.215.1556 starting up [20/Dec/2016:22:38:51 -0500] - WARNING: changelog: entry cache size 2097152B is less than db size 4169728B; We recommend to increase the entry cache size nsslapd-cache
Re: [Freeipa-users] IPA Servers out of sync - DNS records
On Tue, Dec 27, 2016 at 6:47 AM, Martin Basti wrote: > > > On 27.12.2016 12:40, Outback Dingo wrote: >> >> On Tue, Dec 27, 2016 at 5:59 AM, Martin Basti wrote: >>> >>> >>> On 27.12.2016 00:25, Outback Dingo wrote: Seems my secondary ipa server is somehow out of sync with the master, is there any way to force a sync update ? >>> Can you elaborate more? >>> >>> What exactly from DNS records is out of sync? >>> >>> Martin >> >> >> it appears as though at least one A record is missing there might be >> more but thats the first i noticed > > > > Can you please search for replication conflicts > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > > and do you have any replication errors in /var/log/dirsrv/slapd-*/errors > log on servers? > > Martin from the master ipa [root@ipa dingo]# cat /var/log/dirsrv/slapd-*/errors 389-Directory/1.3.4.0 B2016.215.1556 ipa.optimcloud.com:636 (/etc/dirsrv/slapd-OPTIMCLOUD-COM) [20/Dec/2016:22:38:51 -0500] - SSL alert: Configured NSS Ciphers [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [20/Dec/2016:22:38:51 -0500] - 389-Directory/1.3.4.0 B2016.215.1556 starting up [20/Dec/2016:22:38:51 -0500] - WARNING: changelog: entry cache size 2097152B is less than db size 4169728B; We recommend to increase the
Re: [Freeipa-users] IPA Servers out of sync - DNS records
On 27.12.2016 12:40, Outback Dingo wrote: On Tue, Dec 27, 2016 at 5:59 AM, Martin Basti wrote: On 27.12.2016 00:25, Outback Dingo wrote: Seems my secondary ipa server is somehow out of sync with the master, is there any way to force a sync update ? Can you elaborate more? What exactly from DNS records is out of sync? Martin it appears as though at least one A record is missing there might be more but thats the first i noticed Can you please search for replication conflicts https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html and do you have any replication errors in /var/log/dirsrv/slapd-*/errors log on servers? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Servers out of sync - DNS records
On Tue, Dec 27, 2016 at 5:59 AM, Martin Basti wrote: > > > On 27.12.2016 00:25, Outback Dingo wrote: >> >> Seems my secondary ipa server is somehow out of sync with the master, >> is there any way to force a sync update ? >> > > Can you elaborate more? > > What exactly from DNS records is out of sync? > > Martin it appears as though at least one A record is missing there might be more but thats the first i noticed -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Servers out of sync - DNS records
On 27.12.2016 00:25, Outback Dingo wrote: Seems my secondary ipa server is somehow out of sync with the master, is there any way to force a sync update ? Can you elaborate more? What exactly from DNS records is out of sync? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Servers out of sync - DNS records
Seems my secondary ipa server is somehow out of sync with the master, is there any way to force a sync update ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project