Re: [Freeipa-users] Replication attrlist_replace nsslapd-referral failed
Things have been working better (so far) after taking some steps I read here: https://www.redhat.com/archives/freeipa-users/2016-January/msg00257.html On Mon, Oct 10, 2016 at 6:48 PM, Fil Di Noto wrote: > After an IPA server is re-initialized it immediately begins failing > incremental updates. I checked the kerberos logs and things appear to > be ok there, I can manually test LDAP from all servers against all > other servers. > > There is an DS5ReplicaBindDN entry in "dn: > cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for > an IPA server that no longer exists. But all IPA living servers have > an entry for all other living servers. > There is the correct number of cn=master, and cn=ca, and the > caRenewalMaster is set on the correct master. > > "ipa-replica-manage del --force --clean " does not remove the entry. > > There were some RUV from the old servers also and I cleaned them. The > man page says if a clean is run on the wrong ID then the server should > be re-initialized, so I just did that on purpose and re-initialized > the one of the servers and that has cleared the NSMMReplicationPlugin > error (so far) but I am still getting the attrlist_replace error. > > I'm getting no indication of kerberos problems.Could it be the > NSACLPlugin ? It preceeds the other error every time but that is > probably just regular startup procedure, and having an ACL for > something that doesn't exist doesn't feel like a fatal error to me. I > didn't do the KRA install. > > [root@ipa05 slapd-example-com]# tail -f errors > [10/Oct/2016:23:27:57 +] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=example,dc=com does not exist > [10/Oct/2016:23:27:57 +] NSACLPlugin - The ACL target > cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not > exist > [10/Oct/2016:23:27:57 +] agmt="cn=meToipa07.example.com" > (ipa07:389) - Can't locate CSN 57fc2e7f000a000d in the changelog > (DB rc=-30988). If replication stops, the consumer may need to be > reinitialized. > [10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - changelog program > - agmt="cn=meToipa07.example.com" (ipa07:389): CSN > 57fc2e7f000a000d not found, we aren't as up to date, or we purged > [10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - > agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update > replica has been purged. The replica must be reinitialized. > [10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - > agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed > and requires administrator action > [10/Oct/2016:23:29:09 +] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication attrlist_replace nsslapd-referral failed
Hi, you don't specify the version you are using: If it is 389-ds-base-1.3.4.0-33.el7_2.x86_64 the following may apply: >>> we have identified an issue with this version, it includes a fix for 389-ds ticket #48766, which was incomplete and resolved shortly after the release of this version (it is missing the latest patch for #49766 and for #48954). You can try to go back to 1.3.4.0-32 or if you have support get a hotfix from our support. <<< Sorry for this, On 10/11/2016 03:48 AM, Fil Di Noto wrote: After an IPA server is re-initialized it immediately begins failing incremental updates. I checked the kerberos logs and things appear to be ok there, I can manually test LDAP from all servers against all other servers. There is an DS5ReplicaBindDN entry in "dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for an IPA server that no longer exists. But all IPA living servers have an entry for all other living servers. There is the correct number of cn=master, and cn=ca, and the caRenewalMaster is set on the correct master. "ipa-replica-manage del --force --clean " does not remove the entry. There were some RUV from the old servers also and I cleaned them. The man page says if a clean is run on the wrong ID then the server should be re-initialized, so I just did that on purpose and re-initialized the one of the servers and that has cleared the NSMMReplicationPlugin error (so far) but I am still getting the attrlist_replace error. I'm getting no indication of kerberos problems.Could it be the NSACLPlugin ? It preceeds the other error every time but that is probably just regular startup procedure, and having an ACL for something that doesn't exist doesn't feel like a fatal error to me. I didn't do the KRA install. [root@ipa05 slapd-example-com]# tail -f errors [10/Oct/2016:23:27:57 +] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist [10/Oct/2016:23:27:57 +] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist [10/Oct/2016:23:27:57 +] agmt="cn=meToipa07.example.com" (ipa07:389) - Can't locate CSN 57fc2e7f000a000d in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - changelog program - agmt="cn=meToipa07.example.com" (ipa07:389): CSN 57fc2e7f000a000d not found, we aren't as up to date, or we purged [10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update replica has been purged. The replica must be reinitialized. [10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed and requires administrator action [10/Oct/2016:23:29:09 +] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed. -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Replication attrlist_replace nsslapd-referral failed
After an IPA server is re-initialized it immediately begins failing incremental updates. I checked the kerberos logs and things appear to be ok there, I can manually test LDAP from all servers against all other servers. There is an DS5ReplicaBindDN entry in "dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for an IPA server that no longer exists. But all IPA living servers have an entry for all other living servers. There is the correct number of cn=master, and cn=ca, and the caRenewalMaster is set on the correct master. "ipa-replica-manage del --force --clean " does not remove the entry. There were some RUV from the old servers also and I cleaned them. The man page says if a clean is run on the wrong ID then the server should be re-initialized, so I just did that on purpose and re-initialized the one of the servers and that has cleared the NSMMReplicationPlugin error (so far) but I am still getting the attrlist_replace error. I'm getting no indication of kerberos problems.Could it be the NSACLPlugin ? It preceeds the other error every time but that is probably just regular startup procedure, and having an ACL for something that doesn't exist doesn't feel like a fatal error to me. I didn't do the KRA install. [root@ipa05 slapd-example-com]# tail -f errors [10/Oct/2016:23:27:57 +] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist [10/Oct/2016:23:27:57 +] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist [10/Oct/2016:23:27:57 +] agmt="cn=meToipa07.example.com" (ipa07:389) - Can't locate CSN 57fc2e7f000a000d in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - changelog program - agmt="cn=meToipa07.example.com" (ipa07:389): CSN 57fc2e7f000a000d not found, we aren't as up to date, or we purged [10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update replica has been purged. The replica must be reinitialized. [10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed and requires administrator action [10/Oct/2016:23:29:09 +] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project