<div dir="ltr"><div>Hi:</div><div><br></div><div>There is only one info may relate to the ssl can;t contact any idea? it is using Godaddy cert *.<a href="http://abc.com">abc.com</a> without error on starting ipa </div><div>
<br></div><div>[16/Jul/2014:10:01:38 +0800] conn=1018090 fd=72 slot=72 SSL connection from 192.168.15.88 to 192.168.15.88</div><div>[16/Jul/2014:10:01:38 +0800] conn=1018090 op=-1 fd=72 closed - Peer does not recognize and trust the CA that issued your certificate</div>
<div><br></div><div>BTW ...after chanage the deadlock .paramter </div><div><br></div><div>nsslapd-db-deadlock-policy: 9 to 6 ..is it neccesary restart server ? any command can force update?</div><div><br></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">2014-07-15 23:38 GMT+08:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class=""><a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> wrote:<br>
> What it is meant ? u meant enable annoynomus access ? return back to 389 ?<br>
> How to remove the can't connect LDAP server ?<br>
<br>
</div>I meant neither of those.<br>
<br>
Watch the 389-ds access log when running ipa-replica-manage list<br>
<br>
Find the connection, note the error, if any.<br>
<br>
rob<br>
<div class=""><br>
><br>
><br>
> 2014-07-15 22:29 GMT+08:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
</div>> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>:<br>
<div class="">><br>
> Rich Megginson wrote:<br>
> > On 07/14/2014 05:58 PM, <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
</div><div class="">> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>> wrote:<br>
> >> kinit work , can input password<br>
> >><br>
> >> any ipa command fail even ipa replica-manage status command >>"cant<br>
> >> contact ldap server"<br>
> ><br>
> > Assuming that ldapsearch works, this sounds like the ipa command line<br>
> > tool can't communicate with the httpd server? Any errors in<br>
> > /var/log/httpd/error_log?<br>
><br>
> ipa-replica-manage only uses direct LDAP (maybe a little GSSAPI for good<br>
> measure).<br>
><br>
> It also uses port 636 so at this point I suspect it is an SSL trust<br>
> issue. If you watch the access log you should see the connection attempt<br>
> and result.<br>
><br>
> rob<br>
><br>
> ><br>
> >><br>
> >><br>
> >> 2014-07-15 0:03 GMT+08:00 Rich Megginson <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>> >> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
<div class="">> >><br>
> >> On 07/13/2014 08:51 PM, <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div><div class="">> >> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>> wrote:<br>
</div><div class="">> >>> Hi:<br>
> >>><br>
> >>> Only for the servers that are getting the "DB_LOCK_DEADLOCK:<br>
> >>> Locker killed to resolve a deadlock" message in the errors log.<br>
> >>><br>
> >>> > need restart ipactl service after modifcation?<br>
> >>><br>
> >>> But this does not explain the "cant contact ldap server" errors.<br>
> >>><br>
> >>> Which ipa commands give the "cant contact ldap server" errors?<br>
> >>><br>
> >>> > <a href="http://server2.abc.com" target="_blank">server2.abc.com</a> <<a href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>><br>
> <<a href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>> and command related<br>
> >>> ipa shown can't contact ldap sver , log shown before.<br>
> >><br>
> >> Does this mean that<br>
> >> ipa user-find<br>
> >> on <a href="http://server2.abc.com" target="_blank">server2.abc.com</a> <<a href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>><br>
> <<a href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>> gives a "cant contact<br>
> >> ldap server" error?<br>
> >><br>
> >> Or is it only the ipa replica-manage status command that gives<br>
> >> this error?<br>
> >><br>
> >> If it is the former, does ldapsearch work? Does kinit work?<br>
> >><br>
> >>><br>
> >>><br>
> >>> 2014-07-11 21:55 GMT+08:00 Rich Megginson<br>
> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>> >>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
<div class="">> >>><br>
> >>> On 07/11/2014 01:53 AM, <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div><div class="">> >>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> wrote:<br>
</div><div class="">> >>>> At server 2 there is a error:<br>
> >>>><br>
> >>>><br>
> >>>> [10/Jul/2014:12:29:59 +0800] NSMMReplicationPlugin -<br>
> >>>> agmt="cn=<a href="http://meToserver1.abc.com" target="_blank">meToserver1.abc.com</a><br>
</div>> <<a href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>> <<a href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>>"<br>
<div class="">> >>>> (central:389): Replication bind with GSSAPI auth failed:<br>
> >>>> LDAP error -2 (Local error) (SASL(-1): generic failure:<br>
> >>>> GSSAPI Error: Unspecified GSS failure. Minor code may<br>
> >>>> provide more information (Credentials cache file<br>
> >>>> '/tmp/krb5cc_494' not found))<br>
> >>><br>
> >>> This is usually a transient error that should go away.<br>
> >>><br>
> >>>><br>
> >>>><br>
> >>>> 2014-07-11 10:26 GMT+08:00 <<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div>> >>>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>:<br>
<div class="">> >>>><br>
> >>>> Yes ,<br>
> >>>> still get "cant contact ldap server" after upgrading<br>
> >>>> both servers.<br>
> >>>><br>
> >>>><br>
> >>>> 2014-07-10 23:18 GMT+08:00 Rich Megginson<br>
> >>>> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
<div class="">> >>>><br>
> >>>> On 07/10/2014 09:15 AM, <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div><div class="">> >>>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>> wrote:<br>
> >>>>><br>
</div><div class="">> >>>>> But any hint that server 2 say cant contact ldap<br>
> >>>>> server if type ipa command?<br>
> >>>>><br>
> >>>><br>
> >>>> Please keep replies on list.<br>
> >>>><br>
> >>>> You still get "cant contact ldap server" after<br>
> >>>> upgrading both servers?<br>
> >>>><br>
> >>>>> 2014/7/10 下午10:25 於 "Rich Megginson"<br>
> >>>>> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
</div>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
<div class="">> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>><br>
> >>>>> 寫道:<br>
> >>>>><br>
> >>>>> On 07/10/2014 01:14 AM, <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div><div class="">> >>>>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>> wrote:<br>
</div><div><div class="h5">> >>>>>> Tried and now two version same ....but seem<br>
> >>>>>> same situation.<br>
> >>>>>><br>
> >>>>>> i found a related error log that server1 has<br>
> >>>>>> account after added user but not<br>
> replicated to<br>
> >>>>>> server2. Is it too fast on UI clicking ? as i<br>
> >>>>>> exp once that click very<br>
> >>>>>> fast twice add and edit user may cause server<br>
> >>>>>> 2 no record.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> [10/Jul/2014:14:20:01 +0800]<br>
> >>>>>> NSMMReplicationPlugin - changelog program -<br>
> >>>>>> _cl5WriteOperationTxn: retry (49) the<br>
> >>>>>> transaction (csn=53be3097000000040000) failed<br>
> >>>>>> (rc=-30994 (DB_LOCK_DEADLOCK: Locker<br>
> killed to<br>
> >>>>>> resolve a deadlock))<br>
> >>>>>> [10/Jul/2014:14:20:01 +0800]<br>
> >>>>>> NSMMReplicationPlugin - changelog program -<br>
> >>>>>> _cl5WriteOperationTxn: failed to write entry<br>
> >>>>>> with csn (53be3097000000040000); db error -<br>
> >>>>>> -30994 DB_LOCK_DEADLOCK: Locker killed to<br>
> >>>>>> resolve a deadlock<br>
> >>>>>> [10/Jul/2014:14:20:01 +0800]<br>
> >>>>>> NSMMReplicationPlugin -<br>
> >>>>>> write_changelog_and_ruv: can't add a change<br>
> >>>>>> for<br>
> >>>>>><br>
> uid=xuehuimei,cn=users,cn=accounts,dc=abc,dc=com<br>
> >>>>>> (uniqid: 1300de84-07fa11e4-b3ddf885-593f3a7a,<br>
> >>>>>> optype: 16) to changelog csn<br>
> 53be3097000000040000<br>
> >>>>>> [10/Jul/2014:14:56:51 +0800]<br>
> >>>>>> NSMMReplicationPlugin - changelog program -<br>
> >>>>>> _cl5WriteOperationTxn: retry (49) the<br>
> >>>>>> transaction (csn=53be3939000000040000) failed<br>
> >>>>>> (rc=-30994 (DB_LOCK_DEADLOCK: Locker<br>
> killed to<br>
> >>>>>> resolve a deadlock))<br>
> >>>>>> [10/Jul/2014:14:56:51 +0800]<br>
> >>>>>> NSMMReplicationPlugin - changelog program -<br>
> >>>>>> _cl5WriteOperationTxn: failed to write entry<br>
> >>>>>> with csn (53be3939000000040000); db error -<br>
> >>>>>> -30994 DB_LOCK_DEADLOCK: Locker killed to<br>
> >>>>>> resolve a deadlock<br>
> >>>>>> [10/Jul/2014:14:56:51 +0800]<br>
> >>>>>> NSMMReplicationPlugin -<br>
> >>>>>> write_changelog_and_ruv: can't add a change<br>
> >>>>>> for<br>
> >>>>>><br>
> uid=websubcon04,cn=users,cn=accounts,dc=abc,dc=com<br>
> >>>>>> (uniqid: 3e39fc81-07ff11e4-b3ddf885-593f3a7a,<br>
> >>>>>> optype: 16) to changelog csn<br>
> 53be3939000000040000<br>
> >>>>><br>
> >>>>> This looks like<br>
> >>>>> <a href="https://fedorahosted.org/389/ticket/47409" target="_blank">https://fedorahosted.org/389/ticket/47409</a> and<br>
> >>>>><br>
> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=979169" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=979169</a><br>
> >>>>><br>
> >>>>> Cause: Under certain conditions, with a mix of<br>
> >>>>> concurrent search and update and outgoing<br>
> >>>>> replication operations, there will be<br>
> deadlocks<br>
> >>>>> in the changelog db, leading to error messages<br>
> >>>>> like this:<br>
> >>>>> NSMMReplicationPlugin - changelog program -<br>
> >>>>> _cl5WriteOperationTxn: failed to write entry<br>
> >>>>> with csn (XXXXXXX); db error - -30994<br>
> >>>>> DB_LOCK_DEADLOCK: Locker killed to resolve a<br>
> >>>>> deadlock<br>
> >>>>> This is caused by a deadlock between the<br>
> >>>>> changelog readers, writers, and main database<br>
> >>>>> writers.<br>
> >>>>><br>
> >>>>> Consequence: Update operations will fail with<br>
> >>>>> the above error message in the directory<br>
> server<br>
> >>>>> errors log.<br>
> >>>>><br>
> >>>>> Fix: A new configuration parameter is<br>
> introduced:<br>
> >>>>> dn: cn=config,cn=ldbm<br>
> database,cn=plugins,cn=config<br>
> >>>>> nsslapd-db-deadlock-policy: 9<br>
> >>>>><br>
> >>>>> With the default policy 9 (DB_LOCK_YOUNGEST),<br>
> >>>>> the last locker gets killed when there is a<br>
> >>>>> deadlock. In the case that this is the<br>
> >>>>> changelog writer, the write will fail, and the<br>
> >>>>> entire update will fail.<br>
> >>>>><br>
> >>>>> Users who frequently see the above errors in<br>
> >>>>> the errors log are advised to change this<br>
> >>>>> setting to 6 (DB_LOCK_MINWRITE) will which<br>
> >>>>> instead kill the locker that has the fewest<br>
> >>>>> write locks (that is, the changelog reader).<br>
> >>>>> The changelog reader code has been changed to<br>
> >>>>> handle this deadlock condition and retry. The<br>
> >>>>> setting can be changed like this:<br>
> >>>>><br>
> >>>>> ldapmodify -x -D "cn=directory manager" -W<br>
> <<EOF<br>
> >>>>> dn: cn=config,cn=ldbm<br>
> database,cn=plugins,cn=config<br>
> >>>>> changetype: modify<br>
> >>>>> replace: nsslapd-db-deadlock-policy<br>
> >>>>> nsslapd-db-deadlock-policy: 6<br>
> >>>>> EOF<br>
> >>>>><br>
> >>>>> You may ask why the default is not changed to<br>
> >>>>> 6. The answer is that the setting will apply<br>
> >>>>> to _all_ threads, so that changing this<br>
> setting<br>
> >>>>> could cause regular search requests to<br>
> fail, if<br>
> >>>>> the directory server is under a heavy update<br>
> >>>>> load. In our testing, we did not see this<br>
> >>>>> happen, but we cannot guarantee that changing<br>
> >>>>> this value to 6 will not impact regular search<br>
> >>>>> requests.<br>
> >>>>><br>
> >>>>> Result: After changing<br>
> >>>>> nsslapd-db-deadlock-policy to 6, updates will<br>
> >>>>> succeed and no longer cause errors like<br>
> the above.<br>
> >>>>><br>
> >>>>><br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> 2014-07-10 10:40 GMT+08:00 Rich Megginson<br>
> >>>>>> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div></div>> >>>>>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
<div class="">> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
> >>>>>><br>
> >>>>>> On 07/09/2014 08:36 PM,<br>
> <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div><div class="">> >>>>>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>> wrote:<br>
</div><div><div class="h5">> >>>>>>> Hi :<br>
> >>>>>>><br>
> >>>>>>> What is the procedure for this minor<br>
> update ?<br>
> >>>>>>><br>
> >>>>>>> just yum update ipa-server after<br>
> stop the<br>
> >>>>>>> server?<br>
> >>>>>><br>
> >>>>>> If you just want to upgrade only the LDAP<br>
> >>>>>> server, which is the component that I for<br>
> >>>>>> sure know is out of date, then yum update<br>
> >>>>>> 389-ds-base.<br>
> >>>>>><br>
> >>>>>> Or just "yum update" - in general I don't<br>
> >>>>>> like running "franken-systems" which have<br>
> >>>>>> a mix of up-to-date and out of date<br>
> >>>>>> packages. Note that "IPA server" is<br>
> >>>>>> composed of several packages.<br>
> >>>>>><br>
> >>>>>> You do not need to stop the server.<br>
> >>>>>> yum/rpm upgrade will restart as needed.<br>
> >>>>>> If you want to make sure, do ipactl<br>
> >>>>>> restart after upgrade.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>>> and effect of the exsitn ldap?<br>
> >>>>>><br>
> >>>>>> Not sure what you mean. Upgrade should<br>
> >>>>>> not touch any config or data.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>>><br>
> >>>>>>> As the server 2 is master of replica<br>
> also<br>
> >>>>>>> , so need refo ipa-replica install ?<br>
> >>>>>><br>
> >>>>>> No, you just need to perform the same<br>
> >>>>>> upgrade procedure.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>>><br>
> >>>>>>> barry<br>
> >>>>>>><br>
> >>>>>>><br>
> >>>>>>> 2014-07-09 22:20 GMT+08:00 Rich<br>
> Megginson<br>
> >>>>>>> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div></div>> >>>>>>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
<div class="">> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
> >>>>>>><br>
> >>>>>>> On 07/08/2014 09:02 PM,<br>
> >>>>>>> <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div><div class="">> >>>>>>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>> wrote:<br>
</div><div><div class="h5">> >>>>>>>> Some error i found :<br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>> <a href="http://server1.abc.com:636" target="_blank">server1.abc.com:636</a><br>
> <<a href="http://server1.abc.com:636" target="_blank">http://server1.abc.com:636</a>><br>
> >>>>>>>> <<a href="http://server1.abc.com:636" target="_blank">http://server1.abc.com:636</a>><br>
> >>>>>>>> (/etc/dirsrv/slapd-abc-COM)<br>
> >>>>>>>><br>
> >>>>>>>> [29/Jun/2014:02:00:56 +0800] -<br>
> >>>>>>>> 389-Directory/<a href="http://1.2.11.25" target="_blank">1.2.11.25</a><br>
> <<a href="http://1.2.11.25" target="_blank">http://1.2.11.25</a>><br>
> >>>>>>>> <<a href="http://1.2.11.25" target="_blank">http://1.2.11.25</a>> B2013.325.1951<br>
> >>>>>>>> starting up<br>
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>> attrcrypt - attrcrypt_unwrap_key:<br>
> >>>>>>>> failed to unwrap key for cipher AES<br>
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>> attrcrypt - attrcrypt_cipher_init:<br>
> >>>>>>>> symmetric key failed to unwrap with<br>
> >>>>>>>> the private key; Cert might have<br>
> >>>>>>>> been renewed since the key is<br>
> >>>>>>>> wrapped. To recover the encrypted<br>
> >>>>>>>> contents, keep the wrapped<br>
> symmetric<br>
> >>>>>>>> key value.<br>
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>> attrcrypt - attrcrypt_unwrap_key:<br>
> >>>>>>>> failed to unwrap key for cipher<br>
> 3DES<br>
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>> attrcrypt - attrcrypt_cipher_init:<br>
> >>>>>>>> symmetric key failed to unwrap with<br>
> >>>>>>>> the private key; Cert might have<br>
> >>>>>>>> been renewed since the key is<br>
> >>>>>>>> wrapped. To recover the encrypted<br>
> >>>>>>>> contents, keep the wrapped<br>
> symmetric<br>
> >>>>>>>> key value.<br>
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>> attrcrypt - All prepared<br>
> ciphers are<br>
> >>>>>>>> not available. Please disable<br>
> >>>>>>>> attribute encryption.<br>
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>> schema-compat-plugin - warning: no<br>
> >>>>>>>> entries set up under cn=computers,<br>
> >>>>>>>> cn=compat,dc=abc,dc=com<br>
> >>>>>>>> [29/Jun/2014:02:00:57 +0800]<br>
> >>>>>>>> schema-compat-plugin - warning: no<br>
> >>>>>>>> entries set up under cn=ng,<br>
> >>>>>>>> cn=compat,dc=abc,dc=com<br>
> >>>>>>>> [29/Jun/2014:02:00:57 +0800]<br>
> >>>>>>>> schema-compat-plugin - warning: no<br>
> >>>>>>>> entries set up under<br>
> >>>>>>>> ou=sudoers,dc=abc,dc=com<br>
> >>>>>>>> [29/Jun/2014:02:00:57 +0800] -<br>
> >>>>>>>> Skipping CoS Definition cn=Password<br>
> >>>>>>>><br>
> Policy,cn=accounts,dc=abc,dc=com--no<br>
> >>>>>>>> CoS Templates found, which<br>
> should be<br>
> >>>>>>>> added before the CoS Definition.<br>
> >>>>>>>> [29/Jun/2014:02:00:57 +0800]<br>
> >>>>>>>> set_krb5_creds - Could not get<br>
> >>>>>>>> initial credentials for principal<br>
> >>>>>>>> [ldap/server1.abc.com@abc.COM<br>
> >>>>>>>> <mailto:<a href="mailto:ldap">ldap</a><br>
</div></div>> <mailto:<a href="mailto:ldap">ldap</a>>/server1.abc.com@abc.COM>]<br>
<div><div class="h5">> >>>>>>>> in keytab<br>
> >>>>>>>> [FILE:/etc/dirsrv/ds.keytab]:<br>
> >>>>>>>> -1765328228 (Cannot contact any KDC<br>
> >>>>>>>> for requested realm)<br>
> >>>>>>>> [29/Jun/2014:02:00:58 +0800] -<br>
> >>>>>>>> Skipping CoS Definition cn=Password<br>
> >>>>>>>><br>
> Policy,cn=accounts,dc=abc,dc=com--no<br>
> >>>>>>>> CoS Templates found, which<br>
> should be<br>
> >>>>>>>> added before the CoS Definition.<br>
> >>>>>>>> [29/Jun/2014:02:00:58 +0800]<br>
> >>>>>>>> slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>> Error: could not perform<br>
> interactive<br>
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>> error -2 (Local error) (SASL(-1):<br>
> >>>>>>>> generic failure: GSSAPI Error:<br>
> >>>>>>>> Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>> may provide more information<br>
> >>>>>>>> (Credentials cache file<br>
> >>>>>>>> '/tmp/krb5cc_492' not found)) errno<br>
> >>>>>>>> 0 (Success)<br>
> >>>>>>>> [29/Jun/2014:02:00:58 +0800]<br>
> >>>>>>>> slapi_ldap_bind - Error: could not<br>
> >>>>>>>> perform interactive bind for id []<br>
> >>>>>>>> mech [GSSAPI]: error -2 (Local<br>
> error)<br>
> >>>>>>>> [29/Jun/2014:02:00:58 +0800]<br>
> >>>>>>>> NSMMReplicationPlugin -<br>
> >>>>>>>> agmt="cn=<a href="http://meToserver2.abc.com" target="_blank">meToserver2.abc.com</a><br>
> <<a href="http://meToserver2.abc.com" target="_blank">http://meToserver2.abc.com</a>><br>
> >>>>>>>> <<a href="http://meToserver2.abc.com" target="_blank">http://meToserver2.abc.com</a>>"<br>
> >>>>>>>> (server2:389): Replication bind<br>
> with<br>
> >>>>>>>> GSSAPI auth failed: LDAP error -2<br>
> >>>>>>>> (Local error) (SASL(-1): generic<br>
> >>>>>>>> failure: GSSAPI Error: Unspecified<br>
> >>>>>>>> GSS failure. Minor code may<br>
> provide<br>
> >>>>>>>> more information (Credentials cache<br>
> >>>>>>>> file '/tmp/krb5cc_492' not found))<br>
> >>>>>>>> [29/Jun/2014:02:00:58 +0800] -<br>
> slapd<br>
> >>>>>>>> started. Listening on All<br>
> >>>>>>>> Interfaces port 389 for LDAP<br>
> requests<br>
> >>>>>>>> [29/Jun/2014:02:00:58 +0800] -<br>
> >>>>>>>> Listening on All Interfaces<br>
> port 636<br>
> >>>>>>>> for LDAPS requests<br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>> 389-Directory/<a href="http://1.2.11.15" target="_blank">1.2.11.15</a><br>
> <<a href="http://1.2.11.15" target="_blank">http://1.2.11.15</a>><br>
> >>>>>>>> <<a href="http://1.2.11.15" target="_blank">http://1.2.11.15</a>> B2013.240.174<br>
> >>>>>>>> <a href="http://server2.abc.com:636" target="_blank">server2.abc.com:636</a><br>
> <<a href="http://server2.abc.com:636" target="_blank">http://server2.abc.com:636</a>><br>
> >>>>>>>> <<a href="http://server2.abc.com:636" target="_blank">http://server2.abc.com:636</a>><br>
> >>>>>>>> (/etc/dirsrv/slapd-abc-COM)<br>
> >>>>>>>><br>
> >>>>>>>> [30/Jun/2014:12:51:31 +0800]<br>
> >>>>>>>> slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>> Error: could not perform<br>
> interactive<br>
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>> error -2 (Local error) (SASL(-1):<br>
> >>>>>>>> generic failure: GSSAPI Error:<br>
> >>>>>>>> Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>> may provide more information<br>
> (Ticket<br>
> >>>>>>>> expired)) errno 0 (Success)<br>
> >>>>>>>> [30/Jun/2014:12:51:31 +0800]<br>
> >>>>>>>> slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>> Error: could not perform<br>
> interactive<br>
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>> error -2 (Local error) (SASL(-1):<br>
> >>>>>>>> generic failure: GSSAPI Error:<br>
> >>>>>>>> Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>> may provide more information<br>
> (Ticket<br>
> >>>>>>>> expired)) errno 0 (Success)<br>
> >>>>>>>> [30/Jun/2014:12:51:31 +0800]<br>
> >>>>>>>> slapi_ldap_bind - Error: could not<br>
> >>>>>>>> perform interactive bind for id []<br>
> >>>>>>>> mech [GSSAPI]: error -2 (Local<br>
> error)<br>
> >>>>>>>> [30/Jun/2014:12:51:31 +0800]<br>
> >>>>>>>> NSMMReplicationPlugin -<br>
> >>>>>>>> agmt="cn=<a href="http://meToserver1.abc.com" target="_blank">meToserver1.abc.com</a><br>
> <<a href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>><br>
> >>>>>>>> <<a href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>>"<br>
> >>>>>>>> (server1:389): Replication bind<br>
> with<br>
> >>>>>>>> GSSAPI auth failed: LDAP error -2<br>
> >>>>>>>> (Local error) (SASL(-1): generic<br>
> >>>>>>>> failure: GSSAPI Error: Unspecified<br>
> >>>>>>>> GSS failure. Minor code may<br>
> provide<br>
> >>>>>>>> more information (Ticket expired))<br>
> >>>>>>>> [30/Jun/2014:12:51:34 +0800]<br>
> >>>>>>>> slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>> Error: could not perform<br>
> interactive<br>
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>> error -2 (Local error) (SASL(-1):<br>
> >>>>>>>> generic failure: GSSAPI Error:<br>
> >>>>>>>> Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>> may provide more information<br>
> (Ticket<br>
> >>>>>>>> expired)) errno 0 (Success)<br>
> >>>>>>>> [30/Jun/2014:12:51:35 +0800]<br>
> >>>>>>>> slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>> Error: could not perform<br>
> interactive<br>
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>> error -2 (Local error) (SASL(-1):<br>
> >>>>>>>> generic failure: GSSAPI Error:<br>
> >>>>>>>> Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>> may provide more information<br>
> (Ticket<br>
> >>>>>>>> expired)) errno 0 (Success)<br>
> >>>>>>>> [30/Jun/2014:12:51:35 +0800]<br>
> >>>>>>>> slapi_ldap_bind - Error: could not<br>
> >>>>>>>> perform interactive bind for id []<br>
> >>>>>>>> mech [GSSAPI]: error -2 (Local<br>
> error)<br>
> >>>>>>>> [30/Jun/2014:12:51:40 +0800]<br>
> >>>>>>>> slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>> Error: could not perform<br>
> interactive<br>
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>> error -2 (Local error) (SASL(-1):<br>
> >>>>>>>> generic failure: GSSAPI Error:<br>
> >>>>>>>> Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>> may provide more information<br>
> (Ticket<br>
> >>>>>>>> expired)) errno 0 (Success)<br>
> >>>>>>>> [30/Jun/2014:12:51:40 +0800]<br>
> >>>>>>>> slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>> Error: could not perform<br>
> interactive<br>
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>> error -2 (Local error) (SASL(-1):<br>
> >>>>>>>> generic failure: GSSAPI Error:<br>
> >>>>>>>> Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>> may provide more information<br>
> (Ticket<br>
> >>>>>>>> expired)) errno 0 (Success)<br>
> >>>>>>>> [30/Jun/2014:12:51:40 +0800]<br>
> >>>>>>>> slapi_ldap_bind - Error: could not<br>
> >>>>>>>> perform interactive bind for id []<br>
> >>>>>>>> mech [GSSAPI]: error -2 (Local<br>
> error)<br>
> >>>>>>>> [30/Jun/2014:12:51:52 +0800]<br>
> >>>>>>>> NSMMReplicationPlugin -<br>
> >>>>>>>> agmt="cn=<a href="http://meToserver1.abc.com" target="_blank">meToserver1.abc.com</a><br>
> <<a href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>><br>
> >>>>>>>> <<a href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>>"<br>
> >>>>>>>> (server1:389): Replication bind<br>
> with<br>
> >>>>>>>> GSSAPI auth resumed<br>
> >>>>>>>><br>
> >>>>>>><br>
> >>>>>>> You are using an older version of<br>
> >>>>>>> 389. The version on server2 is<br>
> older<br>
> >>>>>>> than the version on server1.<br>
> Can you<br>
> >>>>>>> upgrade and see if that fixes your<br>
> >>>>>>> problems? Even if it doesn't fix<br>
> >>>>>>> your problems, it will be much<br>
> easier<br>
> >>>>>>> for us to support.<br>
> >>>>>>><br>
> >>>>>>><br>
> >>>>>>>><br>
> >>>>>>>> 2014-07-09 10:55 GMT+08:00<br>
> >>>>>>>> <<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div></div>> >>>>>>>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
<div class="">> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>:<br>
> >>>>>>>><br>
> >>>>>>>> FYI..<br>
> >>>>>>>> 160: [04/Jul/2014:12:35:30<br>
> >>>>>>>> +0800] conn=936207 fd=73<br>
> slot=73<br>
> >>>>>>>> connection from 192.168.156.89<br>
> >>>>>>>> to 192.168.156.89<br>
> >>>>>>>> 163: [04/Jul/2014:12:35:30<br>
> >>>>>>>> +0800] conn=936207 op=-1 fd=73<br>
> >>>>>>>> closed - B1<br>
> >>>>>>>><br>
> >>>>>>>> There is not abt binding but i<br>
> >>>>>>>> unsure how to fix ..<br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>> 2014-07-09 2:01 GMT+08:00 Rich<br>
> >>>>>>>> Megginson<br>
> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>> >>>>>>>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
<div class="">> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
> >>>>>>>><br>
> >>>>>>>> On 07/08/2014 02:16 AM,<br>
> >>>>>>>> <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>><br>
</div><div class="">> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>> wrote:<br>
</div><div><div class="h5">> >>>>>>>>> Resent as size limit.<br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>> Here u are server1 's<br>
> >>>>>>>>> access log seem one<br>
> side broken<br>
> >>>>>>>>><br>
> >>>>>>>>> the problem is how to make<br>
> >>>>>>>>> it replicate again.<br>
> >>>>>>>>><br>
> >>>>>>>>> At server 1<br>
> >>>>>>>>><br>
> >>>>>>>>> it is ok master server1<br>
> >>>>>>>>> master server2<br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>> Another side server 2<br>
> >>>>>>>>> contains 2 ip replication.<br>
> >>>>>>>>><br>
> >>>>>>>>> ipa-replica-manage list<br>
> >>>>>>>>> shown Can't contact<br>
> LDAP server<br>
> >>>>>>>>><br>
> >>>>>>>>> I dont know why but the<br>
> >>>>>>>>> prolematic server is sever<br>
> >>>>>>>>> 2 not server 1<br>
> >>>>>>>>><br>
> >>>>>>>>> log of server2<br>
> >>>>>>>>> [08/Jul/2014:16:02:40<br>
> >>>>>>>>> +0800] conn=3299731 fd=69<br>
> >>>>>>>>> slot=69 connection from<br>
> >>>>>>>>> 192.168.15.89 (server1) to<br>
> >>>>>>>>> 192.168.15.88(server2)<br>
> >>>>>>>>> [08/Jul/2014:16:02:40<br>
> >>>>>>>>> +0800] conn=3299731 op=-1<br>
> >>>>>>>>> fd=69 closed - B1<br>
> >>>>>>>>> [08/Jul/2014:16:02:40<br>
> >>>>>>>>> +0800] conn=3299732 fd=69<br>
> >>>>>>>>> slot=69 connection from<br>
> >>>>>>>>> 192.168.15.89 to<br>
> 192.168.15.88<br>
> >>>>>>>>> [08/Jul/2014:16:02:40<br>
> >>>>>>>>> +0800] conn=3299732 op=-1<br>
> >>>>>>>>> fd=69 closed - B1<br>
> >>>>>>>>> [08/Jul/2014:16:02:41<br>
> >>>>>>>>> +0800] conn=3299733 fd=69<br>
> >>>>>>>>> slot=69 connection from<br>
> >>>>>>>>> 192.168.15.89 to<br>
> 192.168.15.88<br>
> >>>>>>>>> [08/Jul/2014:16:02:41<br>
> >>>>>>>>> +0800] conn=3299733 op=-1<br>
> >>>>>>>>> fd=69 closed - B1<br>
> >>>>>>>><br>
> >>>>>>>> You never answered my<br>
> >>>>>>>> question below. "Are you<br>
> >>>>>>>> sure that this<br>
> connection is<br>
> >>>>>>>> a replication session? Can<br>
> >>>>>>>> you post all of the<br>
> >>>>>>>> operations from the access<br>
> >>>>>>>> log from conn=936207?"<br>
> >>>>>>>><br>
> >>>>>>>> In the future, please avoid<br>
> >>>>>>>> spamming the list with<br>
> large<br>
> >>>>>>>> log files. In general,<br>
> it's<br>
> >>>>>>>> better to provide excerpts<br>
> >>>>>>>> from the log files showing<br>
> >>>>>>>> the problem, paste them to<br>
> >>>>>>>> <a href="http://fpaste.org" target="_blank">fpaste.org</a><br>
> <<a href="http://fpaste.org" target="_blank">http://fpaste.org</a>><br>
> >>>>>>>> <<a href="http://fpaste.org" target="_blank">http://fpaste.org</a>>, and<br>
> >>>>>>>> post the link to the<br>
> mailing<br>
> >>>>>>>> list. If for some reason<br>
> >>>>>>>> you need to post a large<br>
> >>>>>>>> file, please use a file<br>
> >>>>>>>> sharing service and<br>
> post the<br>
> >>>>>>>> link to the file.<br>
> >>>>>>>><br>
> >>>>>>>> Can you take a look at your<br>
> >>>>>>>> errors log from server<br>
> 1 and<br>
> >>>>>>>> server 2 and see if there<br>
> >>>>>>>> are any relevant errors?<br>
> >>>>>>>><br>
> >>>>>>>> If I had to guess, I would<br>
> >>>>>>>> say that there is some sort<br>
> >>>>>>>> of network error between<br>
> >>>>>>>> server 1 and server 2 that<br>
> >>>>>>>> causes the excessive closed<br>
> >>>>>>>> - B1. Perhaps there<br>
> will be<br>
> >>>>>>>> more information in the<br>
> >>>>>>>> errors log.<br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>> 2014-07-07 22:21 GMT+08:00<br>
> >>>>>>>>> Rich Megginson<br>
> >>>>>>>>> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
> >>>>>>>>><br>
</div></div>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
<div class="">> >>>>>>>>><br>
> >>>>>>>>> On 07/04/2014<br>
> 03:28 AM,<br>
> >>>>>>>>> <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>><br>
</div><div class="">> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>> wrote:<br>
</div><div><div class="h5">> >>>>>>>>>> FOUND something<br>
> >>>>>>>>>> strange that server 1<br>
> >>>>>>>>>> replicate to itself<br>
> >>>>>>>>>> rather than server2<br>
> >>>>>>>>>><br>
> >>>>>>>>>> Server1 access<br>
> log > Wrong<br>
> >>>>>>>>>> [04/Jul/2014:12:35:30<br>
> >>>>>>>>>> +0800] conn=936207<br>
> >>>>>>>>>> fd=73 slot=73<br>
> >>>>>>>>>> connection from<br>
> >>>>>>>>>> 192.168.15.89(<br>
> server1<br>
> >>>>>>>>>> ) to 192.168.15.89<br>
> >>>>>>>>>> (server1)<br>
> >>>>>>>>><br>
> >>>>>>>>> Are you sure that this<br>
> >>>>>>>>> connection is a<br>
> >>>>>>>>> replication session?<br>
> >>>>>>>>> Can you post all<br>
> of the<br>
> >>>>>>>>> operations from the<br>
> >>>>>>>>> access log from<br>
> >>>>>>>>> conn=936207?<br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>> Server 2 access<br>
> log > OK<br>
> >>>>>>>>>> [04/Jul/2014:12:35:30<br>
> >>>>>>>>>> +0800] conn=936208<br>
> >>>>>>>>>> fd=74 slot=74<br>
> >>>>>>>>>> connection from<br>
> >>>>>>>>>><br>
> 192.168.15.89(server2)<br>
> >>>>>>>>>> to 192.168.15.88<br>
> (server2)<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>> 2014-07-04 9:25<br>
> >>>>>>>>>> GMT+08:00<br>
> >>>>>>>>>><br>
> <<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
</div></div>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>:<br>
<div><div class="h5">> >>>>>>>>>><br>
> >>>>>>>>>> Just sure now one<br>
> >>>>>>>>>> side flow is<br>
> >>>>>>>>>> broken, if u<br>
> >>>>>>>>>> update server1 ,<br>
> >>>>>>>>>> it 100% work<br>
> >>>>>>>>>> server2 will<br>
> upgrade.<br>
> >>>>>>>>>> but if u update<br>
> >>>>>>>>>> server2 there is<br>
> >>>>>>>>>> chance<br>
> non-syn e.g<br>
> >>>>>>>>>> it create<br>
> username<br>
> >>>>>>>>>> in server1 with<br>
> >>>>>>>>>> posfix grp >ok<br>
> >>>>>>>>>> but in server2 it<br>
> >>>>>>>>>> only created<br>
> >>>>>>>>>> posfix grp but no<br>
> >>>>>>>>>> username<br>
> >>>>>>>>>> /attribute it<br>
> >>>>>>>>>> occur serveral<br>
> >>>>>>>>>> times. I have to<br>
> >>>>>>>>>> use command line<br>
> >>>>>>>>>> grp del<br>
> ...etc. to<br>
> >>>>>>>>>> force del<br>
> them and<br>
> >>>>>>>>>> recreate them.,.<br>
> >>>>>>>>>><br>
> >>>>>>>>>> Result below:<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> <a href="http://server2.abc.com" target="_blank">server2.abc.com</a> <<a href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>>:<br>
> >>>>>>>>>> replica<br>
> >>>>>>>>>> last init<br>
> >>>>>>>>>> status: None<br>
> >>>>>>>>>> last init<br>
> ended:<br>
> >>>>>>>>>> None<br>
> >>>>>>>>>> last update<br>
> >>>>>>>>>> status: 0 Replica<br>
> >>>>>>>>>> acquired<br>
> >>>>>>>>>> successfully:<br>
> >>>>>>>>>> Incremental<br>
> update<br>
> >>>>>>>>>> succeeded<br>
> >>>>>>>>>> last update<br>
> >>>>>>>>>> ended: 2014-07-04<br>
> >>>>>>>>>> 00:33:18+00:00<br>
> >>>>>>>>>><br>
> >>>>>>>>>> Directory Manager<br>
> >>>>>>>>>> password:<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> <a href="http://server1.abc.com" target="_blank">server1.abc.com</a> <<a href="http://server1.abc.com" target="_blank">http://server1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://server1.abc.com" target="_blank">http://server1.abc.com</a>>:<br>
> >>>>>>>>>> replica<br>
> >>>>>>>>>> last init<br>
> >>>>>>>>>> status: 0 Total<br>
> >>>>>>>>>> update succeeded<br>
> >>>>>>>>>> last init<br>
> ended:<br>
> >>>>>>>>>> 2014-06-20<br>
> >>>>>>>>>> 10:07:02+00:00<br>
> >>>>>>>>>> last update<br>
> >>>>>>>>>> status: 0 Replica<br>
> >>>>>>>>>> acquired<br>
> >>>>>>>>>> successfully:<br>
> >>>>>>>>>> Incremental<br>
> update<br>
> >>>>>>>>>> succeeded<br>
> >>>>>>>>>> last update<br>
> >>>>>>>>>> ended: 2014-07-04<br>
> >>>>>>>>>> 01:14:19+00:00<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> [root@(LIVE)server2 ~]$<br>
> >>>>>>>>>> ipactl status<br>
> >>>>>>>>>> Directory<br>
> Service:<br>
> >>>>>>>>>> RUNNING<br>
> >>>>>>>>>> KDC Service:<br>
> RUNNING<br>
> >>>>>>>>>> KPASSWD Service:<br>
> >>>>>>>>>> RUNNING<br>
> >>>>>>>>>> MEMCACHE Service:<br>
> >>>>>>>>>> RUNNING<br>
> >>>>>>>>>> HTTP Service:<br>
> RUNNING<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>> 2014-07-04 1:34<br>
> >>>>>>>>>> GMT+08:00 Rob<br>
> >>>>>>>>>> Crittenden<br>
> >>>>>>>>>><br>
> <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
</div></div>> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>:<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
<div class="">> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>> wrote:<br>
</div><div><div class="h5">> >>>>>>>>>> > Yes<br>
> they are<br>
> >>>>>>>>>> running.<br>
> >>>>>>>>>> Server 1 can<br>
> >>>>>>>>>> syn to<br>
> server2<br>
> >>>>>>>>>> but error at<br>
> >>>>>>>>>> server 2<br>
> >>>>>>>>>> > like this.<br>
> >>>>>>>>>><br>
> >>>>>>>>>> How do you<br>
> >>>>>>>>>> know server 1<br>
> >>>>>>>>>> is syncing<br>
> >>>>>>>>>> with<br>
> server 2?<br>
> >>>>>>>>>><br>
> >>>>>>>>>> On server 1<br>
> >>>>>>>>>> I'd run:<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> ipa-replica-manage<br>
> >>>>>>>>>> list -v<br>
> `hostname`<br>
> >>>>>>>>>><br>
> >>>>>>>>>> This will<br>
> show<br>
> >>>>>>>>>> the<br>
> >>>>>>>>>> replication<br>
> >>>>>>>>>> status.<br>
> >>>>>>>>>><br>
> >>>>>>>>>> And what does<br>
> >>>>>>>>>> ipactl status<br>
> >>>>>>>>>> show on<br>
> server 2?<br>
> >>>>>>>>>><br>
> >>>>>>>>>> rob<br>
> >>>>>>>>>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > 2014/7/3 下<br>
> >>>>>>>>>> 午10:14 於<br>
> >>>>>>>>>> "Rob<br>
> >>>>>>>>>> Crittenden"<br>
> >>>>>>>>>><br>
> <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
</div></div>> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>><br>
<div class="">> >>>>>>>>>> 寫道:<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > Please<br>
> >>>>>>>>>> keep<br>
> relies on<br>
> >>>>>>>>>> the list.<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
> <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>><br>
</div><div><div class="h5">> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>><br>
> >>>>>>>>>> wrote:<br>
> >>>>>>>>>> > > I saw<br>
> >>>>>>>>>> the error<br>
> >>>>>>>>>> beloe and<br>
> >>>>>>>>>> errpr log is<br>
> >>>>>>>>>> it related ?<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> 29/Jun/2014:02:00:58<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>> - Error:<br>
> >>>>>>>>>> > > could<br>
> >>>>>>>>>> not perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> LDAP error<br>
> >>>>>>>>>> > > -2<br>
> >>>>>>>>>> (Local error)<br>
> >>>>>>>>>> (SASL(-1):<br>
> >>>>>>>>>> generic<br>
> >>>>>>>>>> failure:<br>
> >>>>>>>>>> GSSAPI Error:<br>
> >>>>>>>>>> Unspecified<br>
> >>>>>>>>>> > > GSS<br>
> >>>>>>>>>> failure.<br>
> >>>>>>>>>> Minor code<br>
> >>>>>>>>>> may provide<br>
> >>>>>>>>>> more<br>
> >>>>>>>>>> information<br>
> >>>>>>>>>> (Credentials<br>
> >>>>>>>>>> > cache<br>
> >>>>>>>>>> > > file<br>
> >>>>>>>>>><br>
> '/tmp/krb5cc_492'<br>
> >>>>>>>>>> not found))<br>
> >>>>>>>>>> errno 0<br>
> (Success)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [29/Jun/2014:02:00:58<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapi_ldap_bind -<br>
> >>>>>>>>>> Error:<br>
> could not<br>
> >>>>>>>>>> > perform<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> error -2<br>
> >>>>>>>>>> (Local error)<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > I<br>
> >>>>>>>>>> believe this<br>
> >>>>>>>>>> is fairly<br>
> >>>>>>>>>> normal on a<br>
> >>>>>>>>>> new startup.<br>
> >>>>>>>>>> It has to<br>
> start<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
> somewhere. The<br>
> >>>>>>>>>> expired<br>
> ticket<br>
> >>>>>>>>>> errors below<br>
> >>>>>>>>>> are<br>
> unexpected<br>
> >>>>>>>>>> since there<br>
> >>>>>>>>>> > are so<br>
> >>>>>>>>>> many of them.<br>
> >>>>>>>>>> Is your KDC<br>
> >>>>>>>>>> running?<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > ipactl<br>
> >>>>>>>>>> status<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > rob<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> 2014-07-02<br>
> >>>>>>>>>> 14:15<br>
> >>>>>>>>>> GMT+08:00<br>
> >>>>>>>>>><br>
> <<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
</div></div>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>>>:<br>
<div><div class="h5">> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> this is the<br>
> >>>>>>>>>> error log i<br>
> >>>>>>>>>> found at<br>
> >>>>>>>>>> <a href="http://2.abc.com" target="_blank">2.abc.com</a><br>
> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:31<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>> -<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error: could<br>
> >>>>>>>>>> not perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> LDAP error -2<br>
> >>>>>>>>>> (Local error)<br>
> >>>>>>>>>> (SASL(-1):<br>
> >>>>>>>>>> generic<br>
> >>>>>>>>>> failure:<br>
> GSSAPI<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error:<br>
> >>>>>>>>>> Unspecified<br>
> >>>>>>>>>> GSS failure.<br>
> >>>>>>>>>> Minor code<br>
> >>>>>>>>>> may<br>
> provide more<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> information<br>
> >>>>>>>>>> (Ticket<br>
> >>>>>>>>>> expired))<br>
> >>>>>>>>>> errno 0<br>
> (Success)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:31<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>> -<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error: could<br>
> >>>>>>>>>> not perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> LDAP error -2<br>
> >>>>>>>>>> (Local error)<br>
> >>>>>>>>>> (SASL(-1):<br>
> >>>>>>>>>> generic<br>
> >>>>>>>>>> failure:<br>
> GSSAPI<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error:<br>
> >>>>>>>>>> Unspecified<br>
> >>>>>>>>>> GSS failure.<br>
> >>>>>>>>>> Minor code<br>
> >>>>>>>>>> may<br>
> provide more<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> information<br>
> >>>>>>>>>> (Ticket<br>
> >>>>>>>>>> expired))<br>
> >>>>>>>>>> errno 0<br>
> (Success)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:31<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapi_ldap_bind -<br>
> >>>>>>>>>> Error:<br>
> could not<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> error -2<br>
> >>>>>>>>>> > (Local<br>
> >>>>>>>>>> error)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:31<br>
</div></div><div class="">> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> NSMMReplicationPlugin<br>
> >>>>>>>>>> -<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> agmt="cn=<a href="http://meTo1.abc.com" target="_blank">meTo1.abc.com</a> <<a href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
</div>> <<a href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>>"<br>
<div class="">> >>>>>>>>>><br>
> (central:389):<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Replication<br>
> >>>>>>>>>> bind with<br>
> >>>>>>>>>> GSSAPI auth<br>
> >>>>>>>>>> failed: LDAP<br>
> >>>>>>>>>> error -2<br>
> (Local<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> error)<br>
> >>>>>>>>>> (SASL(-1):<br>
> >>>>>>>>>> generic<br>
> >>>>>>>>>> failure:<br>
> >>>>>>>>>> GSSAPI Error:<br>
> >>>>>>>>>><br>
> Unspecified GSS<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> failure.<br>
> >>>>>>>>>> Minor code<br>
> >>>>>>>>>> may provide<br>
> >>>>>>>>>> more<br>
> >>>>>>>>>> information<br>
</div><div><div class="h5">> >>>>>>>>>> (Ticket<br>
> >>>>>>>>>> ><br>
> expired))<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:34<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>> -<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error: could<br>
> >>>>>>>>>> not perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> LDAP error -2<br>
> >>>>>>>>>> (Local error)<br>
> >>>>>>>>>> (SASL(-1):<br>
> >>>>>>>>>> generic<br>
> >>>>>>>>>> failure:<br>
> GSSAPI<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error:<br>
> >>>>>>>>>> Unspecified<br>
> >>>>>>>>>> GSS failure.<br>
> >>>>>>>>>> Minor code<br>
> >>>>>>>>>> may<br>
> provide more<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> information<br>
> >>>>>>>>>> (Ticket<br>
> >>>>>>>>>> expired))<br>
> >>>>>>>>>> errno 0<br>
> (Success)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:35<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>> -<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error: could<br>
> >>>>>>>>>> not perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> LDAP error -2<br>
> >>>>>>>>>> (Local error)<br>
> >>>>>>>>>> (SASL(-1):<br>
> >>>>>>>>>> generic<br>
> >>>>>>>>>> failure:<br>
> GSSAPI<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error:<br>
> >>>>>>>>>> Unspecified<br>
> >>>>>>>>>> GSS failure.<br>
> >>>>>>>>>> Minor code<br>
> >>>>>>>>>> may<br>
> provide more<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> information<br>
> >>>>>>>>>> (Ticket<br>
> >>>>>>>>>> expired))<br>
> >>>>>>>>>> errno 0<br>
> (Success)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:35<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapi_ldap_bind -<br>
> >>>>>>>>>> Error:<br>
> could not<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> error -2<br>
> >>>>>>>>>> > (Local<br>
> >>>>>>>>>> error)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:40<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>> -<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error: could<br>
> >>>>>>>>>> not perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> LDAP error -2<br>
> >>>>>>>>>> (Local error)<br>
> >>>>>>>>>> (SASL(-1):<br>
> >>>>>>>>>> generic<br>
> >>>>>>>>>> failure:<br>
> GSSAPI<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error:<br>
> >>>>>>>>>> Unspecified<br>
> >>>>>>>>>> GSS failure.<br>
> >>>>>>>>>> Minor code<br>
> >>>>>>>>>> may<br>
> provide more<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> information<br>
> >>>>>>>>>> (Ticket<br>
> >>>>>>>>>> expired))<br>
> >>>>>>>>>> errno 0<br>
> (Success)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:40<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>> -<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error: could<br>
> >>>>>>>>>> not perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> LDAP error -2<br>
> >>>>>>>>>> (Local error)<br>
> >>>>>>>>>> (SASL(-1):<br>
> >>>>>>>>>> generic<br>
> >>>>>>>>>> failure:<br>
> GSSAPI<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Error:<br>
> >>>>>>>>>> Unspecified<br>
> >>>>>>>>>> GSS failure.<br>
> >>>>>>>>>> Minor code<br>
> >>>>>>>>>> may<br>
> provide more<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> information<br>
> >>>>>>>>>> (Ticket<br>
> >>>>>>>>>> expired))<br>
> >>>>>>>>>> errno 0<br>
> (Success)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:40<br>
> >>>>>>>>>> +0800]<br>
> >>>>>>>>>><br>
> slapi_ldap_bind -<br>
> >>>>>>>>>> Error:<br>
> could not<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> perform<br>
> >>>>>>>>>> interactive<br>
> >>>>>>>>>> bind for<br>
> id []<br>
> >>>>>>>>>> mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>> error -2<br>
> >>>>>>>>>> > (Local<br>
> >>>>>>>>>> error)<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
</div></div>> >>>>>>>>>> 2014-07-02<br>
> >>>>>>>>>> 12:32<br>
<div class="">> >>>>>>>>>> GMT+08:00<br>
> >>>>>>>>>><br>
> <<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
</div>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>>>:<br>
<div class="">> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> yes on node<br>
> >>>>>>>>>> 1 it is<br>
> >>>>>>>>>> happening<br>
> only<br>
> >>>>>>>>>> node2<br>
> fail connect<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> ipa-replica-manage<br>
> >>>>>>>>>> list<br>
</div><div class="">> <a href="http://2.abc.com" target="_blank">2.abc.com</a> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
</div><div class="">> <<a href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> Directory<br>
> >>>>>>>>>> Manager<br>
> password:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> <a href="http://1.abc.com" target="_blank">1.abc.com</a> <<a href="http://1.abc.com" target="_blank">http://1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://1.abc.com" target="_blank">http://1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://1.abc.com" target="_blank">http://1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a href="http://1.abc.com" target="_blank">http://1.abc.com</a>>:<br>
> >>>>>>>>>> replica<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> 2014-06-30<br>
> >>>>>>>>>> 20:59<br>
</div><div class="">> >>>>>>>>>> GMT+08:00 Rob<br>
> >>>>>>>>>> Crittenden<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>><br>
> <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
</div>> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
<div class="">> >>>>>>>>>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
</div>> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> >>>>>>>>>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
<div class="HOEnZb"><div class="h5">> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>>>:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> Barry wrote:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > Hi:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> >>>>> ...<br>
> >>>>><br>
> >>>><br>
> >>>><br>
> >>>><br>
> >>><br>
> >>><br>
> >><br>
> >><br>
> ><br>
> ><br>
> ><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>