<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 07/08/2014 02:16 AM,
<a class="moz-txt-link-abbreviated" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> wrote:<br>
</div>
<blockquote
cite="mid:CAELz9dsJnT+OJ2y5MhB6YfKutTk2Aje1bT+_rgNuDi-ofbvMWA@mail.gmail.com"
type="cite">
<div dir="ltr">Resent as size limit.
<div><br>
<div><br>
</div>
<div>
<div style="font-family:arial,sans-serif;font-size:14px">Here
u are server1 's access log seem one side broken<br>
</div>
<div style="font-family:arial,sans-serif;font-size:14px">
<br>
</div>
<div style="font-family:arial,sans-serif;font-size:14px">the
problem is how to make it replicate again.</div>
<div style="font-family:arial,sans-serif;font-size:14px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:14px">
At server 1</div>
<div class="im"
style="font-family:arial,sans-serif;font-size:14px">
<div><br>
</div>
<div>it is ok master server1 master server2 <br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div style="font-family:arial,sans-serif;font-size:14px">
Another side server 2 contains 2 ip replication.</div>
<div class="im"
style="font-family:arial,sans-serif;font-size:14px">
<div><br>
</div>
<div>ipa-replica-manage list shown Can't contact LDAP
server<br>
</div>
<div><br>
</div>
</div>
<div style="font-family:arial,sans-serif;font-size:14px">I
dont know why but the prolematic server is sever 2 not
server 1</div>
<div style="font-family:arial,sans-serif;font-size:14px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:14px">
log of server2</div>
<div style="font-family:arial,sans-serif;font-size:14px">[08/Jul/2014:16:02:40
+0800] conn=3299731 fd=69 slot=69 connection from
192.168.15.89 (server1) to 192.168.15.88(server2)<br>
</div>
<div style="font-family:arial,sans-serif;font-size:14px">
<div>[08/Jul/2014:16:02:40 +0800] conn=3299731 op=-1 fd=69
closed - B1</div>
<div>[08/Jul/2014:16:02:40 +0800] conn=3299732 fd=69
slot=69 connection from 192.168.15.89 to 192.168.15.88</div>
<div>[08/Jul/2014:16:02:40 +0800] conn=3299732 op=-1 fd=69
closed - B1</div>
<div>[08/Jul/2014:16:02:41 +0800] conn=3299733 fd=69
slot=69 connection from 192.168.15.89 to 192.168.15.88</div>
<div>[08/Jul/2014:16:02:41 +0800] conn=3299733 op=-1 fd=69
closed - B1</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
You never answered my question below. "Are you sure that this
connection is a replication session? Can you post all of the
operations from the access log from conn=936207?"<br>
<br>
In the future, please avoid spamming the list with large log files.
In general, it's better to provide excerpts from the log files
showing the problem, paste them to fpaste.org, and post the link to
the mailing list. If for some reason you need to post a large file,
please use a file sharing service and post the link to the file.<br>
<br>
Can you take a look at your errors log from server 1 and server 2
and see if there are any relevant errors?<br>
<br>
If I had to guess, I would say that there is some sort of network
error between server 1 and server 2 that causes the excessive closed
- B1. Perhaps there will be more information in the errors log.<br>
<br>
<blockquote
cite="mid:CAELz9dsJnT+OJ2y5MhB6YfKutTk2Aje1bT+_rgNuDi-ofbvMWA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div style="font-family:arial,sans-serif;font-size:14px">
<div><br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-07-07 22:21 GMT+08:00 Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="">
<div>On 07/04/2014 03:28 AM, <a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">FOUND something strange that server 1
replicate to itself rather than server2
<div><br>
</div>
<div>
<div>Server1 access log > Wrong</div>
<div>[04/Jul/2014:12:35:30 +0800] conn=936207
fd=73 slot=73 connection from 192.168.15.89(
server1 ) to 192.168.15.89 (server1)</div>
</div>
</div>
</blockquote>
<br>
</div>
Are you sure that this connection is a replication
session? Can you post all of the operations from the
access log from conn=936207?
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div><br>
</div>
<div>Server 2 access log > OK</div>
<div>[04/Jul/2014:12:35:30 +0800] conn=936208
fd=74 slot=74 connection from
192.168.15.89(server2) to 192.168.15.88
(server2)</div>
</div>
</div>
<div class="gmail_extra"> <br>
<br>
<div class="gmail_quote">2014-07-04 9:25 GMT+08:00
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>Just sure now one side flow is broken,
if u update server1 , it 100% work server2
will upgrade.<br>
</div>
<div>but if u update server2 there is chance
non-syn e.g it create username in server1
with posfix grp >ok</div>
<div>but in server2 it only created posfix
grp but no username /attribute it occur
serveral times. I have to use command line
grp del ...etc. to force del them and
recreate them.,.</div>
<div><br>
</div>
<div>Result below:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://server2.abc.com"
target="_blank">server2.abc.com</a>:
replica</div>
<div> last init status: None</div>
<div> last init ended: None</div>
<div> last update status: 0 Replica
acquired successfully: Incremental update
succeeded</div>
<div> last update ended: 2014-07-04
00:33:18+00:00</div>
<div><br>
</div>
<div>Directory Manager password:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://server1.abc.com"
target="_blank">server1.abc.com</a>:
replica</div>
<div> last init status: 0 Total update
succeeded</div>
<div> last init ended: 2014-06-20
10:07:02+00:00</div>
<div> last update status: 0 Replica
acquired successfully: Incremental update
succeeded</div>
<div> last update ended: 2014-07-04
01:14:19+00:00</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>[root@(LIVE)server2 ~]$ ipactl status</div>
<div>Directory Service: RUNNING</div>
<div>KDC Service: RUNNING</div>
<div>KPASSWD Service: RUNNING</div>
<div>MEMCACHE Service: RUNNING</div>
<div> HTTP Service: RUNNING</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-07-04 1:34
GMT+08:00 Rob Crittenden <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>></span>:
<div>
<div><br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div><a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a>
wrote:<br>
> Yes they are running. Server
1 can syn to server2 but error at
server 2<br>
> like this.<br>
<br>
</div>
How do you know server 1 is syncing
with server 2?<br>
<br>
On server 1 I'd run:<br>
<br>
ipa-replica-manage list -v
`hostname`<br>
<br>
This will show the replication
status.<br>
<br>
And what does ipactl status show on
server 2?<br>
<br>
rob<br>
<div><br>
><br>
> 2014/7/3 下午10:14 於 "Rob
Crittenden" <<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a><br>
</div>
> <mailto:<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>>>
寫道:<br>
<div>><br>
> Please keep relies on the
list.<br>
><br>
</div>
<div>> <a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a>
<mailto:<a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a>>
wrote:<br>
> > I saw the error
beloe and errpr log is it related
?<br>
> ><br>
> > 29/Jun/2014:02:00:58
+0800]
slapd_ldap_sasl_interactive_bind -
Error:<br>
> > could not perform
interactive bind for id [] mech
[GSSAPI]: LDAP error<br>
> > -2 (Local error)
(SASL(-1): generic failure: GSSAPI
Error: Unspecified<br>
> > GSS failure. Minor
code may provide more information
(Credentials<br>
> cache<br>
> > file
'/tmp/krb5cc_492' not found))
errno 0 (Success)<br>
> >
[29/Jun/2014:02:00:58 +0800]
slapi_ldap_bind - Error: could not<br>
> perform<br>
> > interactive bind for
id [] mech [GSSAPI]: error -2
(Local error)<br>
><br>
> I believe this is fairly
normal on a new startup. It has to
start<br>
> somewhere. The expired
ticket errors below are unexpected
since there<br>
> are so many of them. Is
your KDC running?<br>
><br>
> ipactl status<br>
><br>
> rob<br>
><br>
> ><br>
> ><br>
> > 2014-07-02 14:15
GMT+08:00 <<a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a><br>
</div>
> <mailto:<a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a>>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a><br>
<div>
<div>> <mailto:<a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a>>>>:<br>
> ><br>
> ><br>
> > this is the
error log i found at <a
moz-do-not-send="true"
href="http://2.abc.com"
target="_blank">2.abc.com</a>
<<a moz-do-not-send="true"
href="http://2.abc.com"
target="_blank">http://2.abc.com</a>><br>
> <<a
moz-do-not-send="true"
href="http://2.abc.com"
target="_blank">http://2.abc.com</a>><br>
> ><br>
> >
[30/Jun/2014:12:51:31 +0800]
slapd_ldap_sasl_interactive_bind
-<br>
> > Error: could
not perform interactive bind for
id [] mech [GSSAPI]:<br>
> > LDAP error -2
(Local error) (SASL(-1): generic
failure: GSSAPI<br>
> > Error:
Unspecified GSS failure. Minor
code may provide more<br>
> > information
(Ticket expired)) errno 0
(Success)<br>
> >
[30/Jun/2014:12:51:31 +0800]
slapd_ldap_sasl_interactive_bind
-<br>
> > Error: could
not perform interactive bind for
id [] mech [GSSAPI]:<br>
> > LDAP error -2
(Local error) (SASL(-1): generic
failure: GSSAPI<br>
> > Error:
Unspecified GSS failure. Minor
code may provide more<br>
> > information
(Ticket expired)) errno 0
(Success)<br>
> >
[30/Jun/2014:12:51:31 +0800]
slapi_ldap_bind - Error: could
not<br>
> > perform
interactive bind for id [] mech
[GSSAPI]: error -2<br>
> (Local error)<br>
> >
[30/Jun/2014:12:51:31 +0800]
NSMMReplicationPlugin -<br>
> > agmt="cn=<a
moz-do-not-send="true"
href="http://meTo1.abc.com"
target="_blank">meTo1.abc.com</a>
<<a moz-do-not-send="true"
href="http://meTo1.abc.com"
target="_blank">http://meTo1.abc.com</a>><br>
> <<a
moz-do-not-send="true"
href="http://meTo1.abc.com"
target="_blank">http://meTo1.abc.com</a>>"
(central:389):<br>
> > Replication
bind with GSSAPI auth failed:
LDAP error -2 (Local<br>
> > error)
(SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS<br>
> > failure.
Minor code may provide more
information (Ticket<br>
> expired))<br>
> >
[30/Jun/2014:12:51:34 +0800]
slapd_ldap_sasl_interactive_bind
-<br>
> > Error: could
not perform interactive bind for
id [] mech [GSSAPI]:<br>
> > LDAP error -2
(Local error) (SASL(-1): generic
failure: GSSAPI<br>
> > Error:
Unspecified GSS failure. Minor
code may provide more<br>
> > information
(Ticket expired)) errno 0
(Success)<br>
> >
[30/Jun/2014:12:51:35 +0800]
slapd_ldap_sasl_interactive_bind
-<br>
> > Error: could
not perform interactive bind for
id [] mech [GSSAPI]:<br>
> > LDAP error -2
(Local error) (SASL(-1): generic
failure: GSSAPI<br>
> > Error:
Unspecified GSS failure. Minor
code may provide more<br>
> > information
(Ticket expired)) errno 0
(Success)<br>
> >
[30/Jun/2014:12:51:35 +0800]
slapi_ldap_bind - Error: could
not<br>
> > perform
interactive bind for id [] mech
[GSSAPI]: error -2<br>
> (Local error)<br>
> >
[30/Jun/2014:12:51:40 +0800]
slapd_ldap_sasl_interactive_bind
-<br>
> > Error: could
not perform interactive bind for
id [] mech [GSSAPI]:<br>
> > LDAP error -2
(Local error) (SASL(-1): generic
failure: GSSAPI<br>
> > Error:
Unspecified GSS failure. Minor
code may provide more<br>
> > information
(Ticket expired)) errno 0
(Success)<br>
> >
[30/Jun/2014:12:51:40 +0800]
slapd_ldap_sasl_interactive_bind
-<br>
> > Error: could
not perform interactive bind for
id [] mech [GSSAPI]:<br>
> > LDAP error -2
(Local error) (SASL(-1): generic
failure: GSSAPI<br>
> > Error:
Unspecified GSS failure. Minor
code may provide more<br>
> > information
(Ticket expired)) errno 0
(Success)<br>
> >
[30/Jun/2014:12:51:40 +0800]
slapi_ldap_bind - Error: could
not<br>
> > perform
interactive bind for id [] mech
[GSSAPI]: error -2<br>
> (Local error)<br>
> ><br>
> ><br>
> > 2014-07-02
12:32 GMT+08:00 <<a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a><br>
> <mailto:<a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a>><br>
</div>
</div>
> > <mailto:<a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com"
target="_blank">barrykfl@gmail.com</a>>>>:<br>
<div>> ><br>
> > yes on node
1 it is happening only node2 fail
connect<br>
> ><br>
> >
ipa-replica-manage list <a
moz-do-not-send="true"
href="http://2.abc.com"
target="_blank">2.abc.com</a>
<<a moz-do-not-send="true"
href="http://2.abc.com"
target="_blank">http://2.abc.com</a>><br>
> <<a
moz-do-not-send="true"
href="http://2.abc.com"
target="_blank">http://2.abc.com</a>><br>
> > Directory
Manager password:<br>
> ><br>
</div>
> > <a
moz-do-not-send="true"
href="http://1.abc.com"
target="_blank">1.abc.com</a> <<a
moz-do-not-send="true"
href="http://1.abc.com"
target="_blank">http://1.abc.com</a>>
<<a moz-do-not-send="true"
href="http://1.abc.com"
target="_blank">http://1.abc.com</a>>:
replica<br>
<div>> ><br>
> ><br>
> ><br>
> > 2014-06-30
20:59 GMT+08:00 Rob Crittenden<br>
> <<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>
<mailto:<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>><br>
</div>
> > <mailto:<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>>>>:<br>
<div>
<div>> ><br>
> > Barry
wrote:<br>
> > >
Hi:<br>
> > ><br>
> > >
Server 1 and Sever 2 is cluster
master master<br>
> orginally ,<br>
> > but
server 2<br>
> > >
fail to connect server1 ,.<br>
> > ><br>
> > >
ipa-replica-manage list shown
Can't contact LDAP server<br>
> > ><br>
> > >
But as server1 it is ok master
server1 master server2 ,<br>
> > ><br>
> > >
It seem affect if update on
server 1 then it syn to<br>
> >
server2 no problem<br>
> > >
but sometimes if modfy in
server2 if fail to update<br>
> server1.<br>
> > ><br>
> > >
Any idea to rebuild mutual
relationship.?<br>
> ><br>
> > The
first step is to diagnose what
is wrong. I've already<br>
> >
suggested a<br>
> > few
things,<br>
> ><br>
> <a
moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html"
target="_blank">https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html</a><br>
> ><br>
> > rob<br>
> ><br>
> > --<br>
> > Manage
your subscription for the
Freeipa-users mailing<br>
> list:<br>
> > <a
moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> > Go To
<a moz-do-not-send="true"
href="http://freeipa.org"
target="_blank">http://freeipa.org</a>
for more info on the project<br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
<br>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>