<div dir="ltr"><div>Here u are server1 's access log seem one side broken<br></div><div><br></div><div>the problem is how to make it replicate again.</div><div><br></div><div>At server 1</div><div><br></div><div><span style="font-family:arial,sans-serif;font-size:14px">it is ok master server1 master server2 </span><br>
</div><div><span style="font-family:arial,sans-serif;font-size:14px"><br></span></div><div><div style="font-family:arial,sans-serif;font-size:14px"><br></div></div><div>Another side server 2 contains 2 ip replication.</div>
<div><br></div><div><span style="font-family:arial,sans-serif;font-size:14px">ipa-replica-manage list shown Can't contact LDAP server</span><br></div><div><span style="font-family:arial,sans-serif;font-size:14px"><br>
</span></div><div><span style="font-family:arial,sans-serif;font-size:14px">I dont know why but the prolematic server is sever 2 not server 1</span></div><div><br></div><div>log of server2</div><div>[08/Jul/2014:16:02:40 +0800] conn=3299731 fd=69 slot=69 connection from 192.168.15.89 (server1) to 192.168.15.88(server2)<br>
</div><div><div>[08/Jul/2014:16:02:40 +0800] conn=3299731 op=-1 fd=69 closed - B1</div><div>[08/Jul/2014:16:02:40 +0800] conn=3299732 fd=69 slot=69 connection from 192.168.15.89 to 192.168.15.88</div><div>[08/Jul/2014:16:02:40 +0800] conn=3299732 op=-1 fd=69 closed - B1</div>
<div>[08/Jul/2014:16:02:41 +0800] conn=3299733 fd=69 slot=69 connection from 192.168.15.89 to 192.168.15.88</div><div>[08/Jul/2014:16:02:41 +0800] conn=3299733 op=-1 fd=69 closed - B1</div></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">2014-07-07 22:21 GMT+08:00 Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><div class="">
<div>On 07/04/2014 03:28 AM,
<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a> wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">FOUND something strange that server 1 replicate to
itself rather than server2
<div><br>
</div>
<div>
<div>Server1 access log > Wrong</div>
<div>[04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73
connection from 192.168.15.89( server1 ) to 192.168.15.89
(server1)</div>
</div>
</div>
</blockquote>
<br></div>
Are you sure that this connection is a replication session? Can you
post all of the operations from the access log from conn=936207?<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div><br>
</div>
<div>Server 2 access log > OK</div>
<div>[04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74
connection from 192.168.15.89(server2) to 192.168.15.88
(server2)</div>
</div>
</div>
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">2014-07-04 9:25 GMT+08:00 <span dir="ltr"><<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Just sure now one side flow is broken, if u update
server1 , it 100% work server2 will upgrade.<br>
</div>
<div>but if u update server2 there is chance non-syn e.g
it create username in server1 with posfix grp >ok</div>
<div>but in server2 it only created posfix grp but no
username /attribute it occur serveral times. I have to
use command line grp del ...etc. to force del them and
recreate them.,.</div>
<div><br>
</div>
<div>Result below:</div>
<div><br>
</div>
<div><a href="http://server2.abc.com" target="_blank">server2.abc.com</a>:
replica</div>
<div> last init status: None</div>
<div> last init ended: None</div>
<div> last update status: 0 Replica acquired
successfully: Incremental update succeeded</div>
<div> last update ended: 2014-07-04 00:33:18+00:00</div>
<div><br>
</div>
<div>Directory Manager password:</div>
<div><br>
</div>
<div><a href="http://server1.abc.com" target="_blank">server1.abc.com</a>:
replica</div>
<div> last init status: 0 Total update succeeded</div>
<div> last init ended: 2014-06-20 10:07:02+00:00</div>
<div> last update status: 0 Replica acquired
successfully: Incremental update succeeded</div>
<div> last update ended: 2014-07-04 01:14:19+00:00</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>[root@(LIVE)server2 ~]$ ipactl status</div>
<div>Directory Service: RUNNING</div>
<div>KDC Service: RUNNING</div>
<div>KPASSWD Service: RUNNING</div>
<div>MEMCACHE Service: RUNNING</div>
<div>
HTTP Service: RUNNING</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-07-04 1:34 GMT+08:00 Rob
Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:
<div>
<div><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a> wrote:<br>
> Yes they are running. Server 1 can syn to
server2 but error at server 2<br>
> like this.<br>
<br>
</div>
How do you know server 1 is syncing with server 2?<br>
<br>
On server 1 I'd run:<br>
<br>
ipa-replica-manage list -v `hostname`<br>
<br>
This will show the replication status.<br>
<br>
And what does ipactl status show on server 2?<br>
<br>
rob<br>
<div><br>
><br>
> 2014/7/3 下午10:14 於 "Rob Crittenden" <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
</div>
> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>
寫道:<br>
<div>><br>
> Please keep relies on the list.<br>
><br>
</div>
<div>> <a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
<mailto:<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>>
wrote:<br>
> > I saw the error beloe and errpr
log is it related ?<br>
> ><br>
> > 29/Jun/2014:02:00:58 +0800]
slapd_ldap_sasl_interactive_bind - Error:<br>
> > could not perform interactive bind
for id [] mech [GSSAPI]: LDAP error<br>
> > -2 (Local error) (SASL(-1):
generic failure: GSSAPI Error: Unspecified<br>
> > GSS failure. Minor code may
provide more information (Credentials<br>
> cache<br>
> > file '/tmp/krb5cc_492' not found))
errno 0 (Success)<br>
> > [29/Jun/2014:02:00:58 +0800]
slapi_ldap_bind - Error: could not<br>
> perform<br>
> > interactive bind for id [] mech
[GSSAPI]: error -2 (Local error)<br>
><br>
> I believe this is fairly normal on a
new startup. It has to start<br>
> somewhere. The expired ticket errors
below are unexpected since there<br>
> are so many of them. Is your KDC
running?<br>
><br>
> ipactl status<br>
><br>
> rob<br>
><br>
> ><br>
> ><br>
> > 2014-07-02 14:15 GMT+08:00 <<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a><br>
</div>
> <mailto:<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>>
<mailto:<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a><br>
<div>
<div>> <mailto:<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>>>>:<br>
> ><br>
> ><br>
> > this is the error log i
found at <a href="http://2.abc.com" target="_blank">2.abc.com</a>
<<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> ><br>
> > [30/Jun/2014:12:51:31 +0800]
slapd_ldap_sasl_interactive_bind -<br>
> > Error: could not perform
interactive bind for id [] mech [GSSAPI]:<br>
> > LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI<br>
> > Error: Unspecified GSS
failure. Minor code may provide more<br>
> > information (Ticket
expired)) errno 0 (Success)<br>
> > [30/Jun/2014:12:51:31 +0800]
slapd_ldap_sasl_interactive_bind -<br>
> > Error: could not perform
interactive bind for id [] mech [GSSAPI]:<br>
> > LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI<br>
> > Error: Unspecified GSS
failure. Minor code may provide more<br>
> > information (Ticket
expired)) errno 0 (Success)<br>
> > [30/Jun/2014:12:51:31 +0800]
slapi_ldap_bind - Error: could not<br>
> > perform interactive bind for
id [] mech [GSSAPI]: error -2<br>
> (Local error)<br>
> > [30/Jun/2014:12:51:31 +0800]
NSMMReplicationPlugin -<br>
> > agmt="cn=<a href="http://meTo1.abc.com" target="_blank">meTo1.abc.com</a>
<<a href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>><br>
> <<a href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>>"
(central:389):<br>
> > Replication bind with GSSAPI
auth failed: LDAP error -2 (Local<br>
> > error) (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS<br>
> > failure. Minor code may
provide more information (Ticket<br>
> expired))<br>
> > [30/Jun/2014:12:51:34 +0800]
slapd_ldap_sasl_interactive_bind -<br>
> > Error: could not perform
interactive bind for id [] mech [GSSAPI]:<br>
> > LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI<br>
> > Error: Unspecified GSS
failure. Minor code may provide more<br>
> > information (Ticket
expired)) errno 0 (Success)<br>
> > [30/Jun/2014:12:51:35 +0800]
slapd_ldap_sasl_interactive_bind -<br>
> > Error: could not perform
interactive bind for id [] mech [GSSAPI]:<br>
> > LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI<br>
> > Error: Unspecified GSS
failure. Minor code may provide more<br>
> > information (Ticket
expired)) errno 0 (Success)<br>
> > [30/Jun/2014:12:51:35 +0800]
slapi_ldap_bind - Error: could not<br>
> > perform interactive bind for
id [] mech [GSSAPI]: error -2<br>
> (Local error)<br>
> > [30/Jun/2014:12:51:40 +0800]
slapd_ldap_sasl_interactive_bind -<br>
> > Error: could not perform
interactive bind for id [] mech [GSSAPI]:<br>
> > LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI<br>
> > Error: Unspecified GSS
failure. Minor code may provide more<br>
> > information (Ticket
expired)) errno 0 (Success)<br>
> > [30/Jun/2014:12:51:40 +0800]
slapd_ldap_sasl_interactive_bind -<br>
> > Error: could not perform
interactive bind for id [] mech [GSSAPI]:<br>
> > LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI<br>
> > Error: Unspecified GSS
failure. Minor code may provide more<br>
> > information (Ticket
expired)) errno 0 (Success)<br>
> > [30/Jun/2014:12:51:40 +0800]
slapi_ldap_bind - Error: could not<br>
> > perform interactive bind for
id [] mech [GSSAPI]: error -2<br>
> (Local error)<br>
> ><br>
> ><br>
> > 2014-07-02 12:32 GMT+08:00
<<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>><br>
</div>
</div>
> > <mailto:<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
<mailto:<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>>>>:<br>
<div>> ><br>
> > yes on node 1 it is
happening only node2 fail connect<br>
> ><br>
> > ipa-replica-manage list <a href="http://2.abc.com" target="_blank">2.abc.com</a> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> > Directory Manager
password:<br>
> ><br>
</div>
> > <a href="http://1.abc.com" target="_blank">1.abc.com</a>
<<a href="http://1.abc.com" target="_blank">http://1.abc.com</a>>
<<a href="http://1.abc.com" target="_blank">http://1.abc.com</a>>:
replica<br>
<div>> ><br>
> ><br>
> ><br>
> > 2014-06-30 20:59 GMT+08:00
Rob Crittenden<br>
> <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br>
</div>
> > <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>>:<br>
<div>
<div>> ><br>
> > Barry wrote:<br>
> > > Hi:<br>
> > ><br>
> > > Server 1 and
Sever 2 is cluster master master<br>
> orginally ,<br>
> > but server 2<br>
> > > fail to connect
server1 ,.<br>
> > ><br>
> > >
ipa-replica-manage list shown Can't contact
LDAP server<br>
> > ><br>
> > > But as server1
it is ok master server1 master server2 ,<br>
> > ><br>
> > > It seem affect
if update on server 1 then it syn to<br>
> > server2 no problem<br>
> > > but sometimes
if modfy in server2 if fail to update<br>
> server1.<br>
> > ><br>
> > > Any idea to
rebuild mutual relationship.?<br>
> ><br>
> > The first step is to
diagnose what is wrong. I've already<br>
> > suggested a<br>
> > few things,<br>
> ><br>
> <a href="https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html" target="_blank">https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html</a><br>
> ><br>
> > rob<br>
> ><br>
> > --<br>
> > Manage your
subscription for the Freeipa-users mailing<br>
> list:<br>
> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> > Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
<br>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>