<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 07/15/2014 08:22 PM,
<a class="moz-txt-link-abbreviated" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> wrote:<br>
</div>
<blockquote
cite="mid:CAELz9dvfcvi5Y=pJpm7V-7JHAZsVeNiEqTxWmZ72yxMH106TXQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi:</div>
<div><br>
</div>
<div>There is only one info may relate to the ssl can;t contact
any idea? it is using Godaddy cert *.<a
moz-do-not-send="true" href="http://abc.com">abc.com</a>
without error on starting ipa </div>
<div>
<br>
</div>
<div>[16/Jul/2014:10:01:38 +0800] conn=1018090 fd=72 slot=72 SSL
connection from 192.168.15.88 to 192.168.15.88</div>
<div>[16/Jul/2014:10:01:38 +0800] conn=1018090 op=-1 fd=72
closed - Peer does not recognize and trust the CA that issued
your certificate</div>
</div>
</blockquote>
<br>
Right. You need to install the CA cert for the CA that issued your
server certs on _all_ replicas, and the clients must also know about
the CA cert.<br>
<br>
<blockquote
cite="mid:CAELz9dvfcvi5Y=pJpm7V-7JHAZsVeNiEqTxWmZ72yxMH106TXQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>BTW ...after chanage the deadlock .paramter </div>
<div><br>
</div>
<div>nsslapd-db-deadlock-policy: 9 to 6 ..is it neccesary
restart server ?</div>
</div>
</blockquote>
<br>
No. The setting takes effect immediately.<br>
<br>
<blockquote
cite="mid:CAELz9dvfcvi5Y=pJpm7V-7JHAZsVeNiEqTxWmZ72yxMH106TXQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>any command can force update?</div>
</div>
</blockquote>
<br>
Not sure what this means.<br>
<br>
<blockquote
cite="mid:CAELz9dvfcvi5Y=pJpm7V-7JHAZsVeNiEqTxWmZ72yxMH106TXQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">2014-07-15 23:38 GMT+08:00 Rob
Crittenden <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class=""><a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
wrote:<br>
> What it is meant ? u meant enable annoynomus access ?
return back to 389 ?<br>
> How to remove the can't connect LDAP server ?<br>
<br>
</div>
I meant neither of those.<br>
<br>
Watch the 389-ds access log when running ipa-replica-manage
list<br>
<br>
Find the connection, note the error, if any.<br>
<br>
rob<br>
<div class=""><br>
><br>
><br>
> 2014-07-15 22:29 GMT+08:00 Rob Crittenden <<a
moz-do-not-send="true" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>:<br>
<div class="">><br>
> Rich Megginson wrote:<br>
> > On 07/14/2014 05:58 PM, <a
moz-do-not-send="true" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
</div>
<div class="">> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>
wrote:<br>
> >> kinit work , can input password<br>
> >><br>
> >> any ipa command fail even ipa
replica-manage status command >>"cant<br>
> >> contact ldap server"<br>
> ><br>
> > Assuming that ldapsearch works, this sounds
like the ipa command line<br>
> > tool can't communicate with the httpd
server? Any errors in<br>
> > /var/log/httpd/error_log?<br>
><br>
> ipa-replica-manage only uses direct LDAP (maybe a
little GSSAPI for good<br>
> measure).<br>
><br>
> It also uses port 636 so at this point I suspect
it is an SSL trust<br>
> issue. If you watch the access log you should see
the connection attempt<br>
> and result.<br>
><br>
> rob<br>
><br>
> ><br>
> >><br>
> >><br>
> >> 2014-07-15 0:03 GMT+08:00 Rich Megginson
<<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>
> >> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
<div class="">> >><br>
> >> On 07/13/2014 08:51 PM, <a
moz-do-not-send="true" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div>
<div class="">> >> <mailto:<a
moz-do-not-send="true" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>
wrote:<br>
</div>
<div class="">> >>> Hi:<br>
> >>><br>
> >>> Only for the servers that are
getting the "DB_LOCK_DEADLOCK:<br>
> >>> Locker killed to resolve a
deadlock" message in the errors log.<br>
> >>><br>
> >>> > need restart ipactl service
after modifcation?<br>
> >>><br>
> >>> But this does not explain the
"cant contact ldap server" errors.<br>
> >>><br>
> >>> Which ipa commands give the
"cant contact ldap server" errors?<br>
> >>><br>
> >>> > <a moz-do-not-send="true"
href="http://server2.abc.com" target="_blank">server2.abc.com</a>
<<a moz-do-not-send="true"
href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>><br>
> <<a moz-do-not-send="true"
href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>>
and command related<br>
> >>> ipa shown can't contact ldap
sver , log shown before.<br>
> >><br>
> >> Does this mean that<br>
> >> ipa user-find<br>
> >> on <a moz-do-not-send="true"
href="http://server2.abc.com" target="_blank">server2.abc.com</a>
<<a moz-do-not-send="true"
href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>><br>
> <<a moz-do-not-send="true"
href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>>
gives a "cant contact<br>
> >> ldap server" error?<br>
> >><br>
> >> Or is it only the ipa replica-manage
status command that gives<br>
> >> this error?<br>
> >><br>
> >> If it is the former, does ldapsearch
work? Does kinit work?<br>
> >><br>
> >>><br>
> >>><br>
> >>> 2014-07-11 21:55 GMT+08:00 Rich
Megginson<br>
> <<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>
> >>> <mailto:<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
<div class="">> >>><br>
> >>> On 07/11/2014 01:53 AM, <a
moz-do-not-send="true" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div>
<div class="">> >>> <mailto:<a
moz-do-not-send="true" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> wrote:<br>
</div>
<div class="">> >>>> At server 2
there is a error:<br>
> >>>><br>
> >>>><br>
> >>>> [10/Jul/2014:12:29:59
+0800] NSMMReplicationPlugin -<br>
> >>>> agmt="cn=<a
moz-do-not-send="true" href="http://meToserver1.abc.com"
target="_blank">meToserver1.abc.com</a><br>
</div>
> <<a moz-do-not-send="true"
href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>>
<<a moz-do-not-send="true"
href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>>"<br>
<div class="">> >>>>
(central:389): Replication bind with GSSAPI auth failed:<br>
> >>>> LDAP error -2 (Local
error) (SASL(-1): generic failure:<br>
> >>>> GSSAPI Error:
Unspecified GSS failure. Minor code may<br>
> >>>> provide more information
(Credentials cache file<br>
> >>>> '/tmp/krb5cc_494' not
found))<br>
> >>><br>
> >>> This is usually a transient
error that should go away.<br>
> >>><br>
> >>>><br>
> >>>><br>
> >>>> 2014-07-11 10:26
GMT+08:00 <<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div>
> >>>> <mailto:<a
moz-do-not-send="true" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>:<br>
<div class="">> >>>><br>
> >>>> Yes ,<br>
> >>>> still get "cant
contact ldap server" after upgrading<br>
> >>>> both servers.<br>
> >>>><br>
> >>>><br>
> >>>> 2014-07-10 23:18
GMT+08:00 Rich Megginson<br>
> >>>> <<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
<div class="">> >>>><br>
> >>>> On 07/10/2014
09:15 AM, <a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div>
<div class="">> >>>>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>
wrote:<br>
> >>>>><br>
</div>
<div class="">> >>>>>
But any hint that server 2 say cant contact ldap<br>
> >>>>> server if
type ipa command?<br>
> >>>>><br>
> >>>><br>
> >>>> Please keep
replies on list.<br>
> >>>><br>
> >>>> You still get
"cant contact ldap server" after<br>
> >>>> upgrading both
servers?<br>
> >>>><br>
> >>>>> 2014/7/10
下午10:25 於 "Rich Megginson"<br>
> >>>>> <<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
<div class="">> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>><br>
> >>>>> 寫道:<br>
> >>>>><br>
> >>>>> On
07/10/2014 01:14 AM, <a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div>
<div class="">> >>>>>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>
wrote:<br>
</div>
<div>
<div class="h5">> >>>>>>
Tried and now two version same ....but seem<br>
> >>>>>>
same situation.<br>
> >>>>>><br>
> >>>>>> i
found a related error log that server1 has<br>
> >>>>>>
account after added user but not<br>
> replicated to<br>
> >>>>>>
server2. Is it too fast on UI clicking ? as i<br>
> >>>>>>
exp once that click very<br>
> >>>>>>
fast twice add and edit user may cause server<br>
> >>>>>> 2
no record.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>>
[10/Jul/2014:14:20:01 +0800]<br>
> >>>>>>
NSMMReplicationPlugin - changelog program -<br>
> >>>>>>
_cl5WriteOperationTxn: retry (49) the<br>
> >>>>>>
transaction (csn=53be3097000000040000) failed<br>
> >>>>>>
(rc=-30994 (DB_LOCK_DEADLOCK: Locker<br>
> killed to<br>
> >>>>>>
resolve a deadlock))<br>
> >>>>>>
[10/Jul/2014:14:20:01 +0800]<br>
> >>>>>>
NSMMReplicationPlugin - changelog program -<br>
> >>>>>>
_cl5WriteOperationTxn: failed to write entry<br>
> >>>>>>
with csn (53be3097000000040000); db error -<br>
> >>>>>>
-30994 DB_LOCK_DEADLOCK: Locker killed to<br>
> >>>>>>
resolve a deadlock<br>
> >>>>>>
[10/Jul/2014:14:20:01 +0800]<br>
> >>>>>>
NSMMReplicationPlugin -<br>
> >>>>>>
write_changelog_and_ruv: can't add a change<br>
> >>>>>>
for<br>
> >>>>>><br>
>
uid=xuehuimei,cn=users,cn=accounts,dc=abc,dc=com<br>
> >>>>>>
(uniqid: 1300de84-07fa11e4-b3ddf885-593f3a7a,<br>
> >>>>>>
optype: 16) to changelog csn<br>
> 53be3097000000040000<br>
> >>>>>>
[10/Jul/2014:14:56:51 +0800]<br>
> >>>>>>
NSMMReplicationPlugin - changelog program -<br>
> >>>>>>
_cl5WriteOperationTxn: retry (49) the<br>
> >>>>>>
transaction (csn=53be3939000000040000) failed<br>
> >>>>>>
(rc=-30994 (DB_LOCK_DEADLOCK: Locker<br>
> killed to<br>
> >>>>>>
resolve a deadlock))<br>
> >>>>>>
[10/Jul/2014:14:56:51 +0800]<br>
> >>>>>>
NSMMReplicationPlugin - changelog program -<br>
> >>>>>>
_cl5WriteOperationTxn: failed to write entry<br>
> >>>>>>
with csn (53be3939000000040000); db error -<br>
> >>>>>>
-30994 DB_LOCK_DEADLOCK: Locker killed to<br>
> >>>>>>
resolve a deadlock<br>
> >>>>>>
[10/Jul/2014:14:56:51 +0800]<br>
> >>>>>>
NSMMReplicationPlugin -<br>
> >>>>>>
write_changelog_and_ruv: can't add a change<br>
> >>>>>>
for<br>
> >>>>>><br>
>
uid=websubcon04,cn=users,cn=accounts,dc=abc,dc=com<br>
> >>>>>>
(uniqid: 3e39fc81-07ff11e4-b3ddf885-593f3a7a,<br>
> >>>>>>
optype: 16) to changelog csn<br>
> 53be3939000000040000<br>
> >>>>><br>
> >>>>> This
looks like<br>
> >>>>> <a
moz-do-not-send="true"
href="https://fedorahosted.org/389/ticket/47409"
target="_blank">https://fedorahosted.org/389/ticket/47409</a>
and<br>
> >>>>><br>
> <a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=979169"
target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=979169</a><br>
> >>>>><br>
> >>>>> Cause:
Under certain conditions, with a mix of<br>
> >>>>>
concurrent search and update and outgoing<br>
> >>>>>
replication operations, there will be<br>
> deadlocks<br>
> >>>>> in the
changelog db, leading to error messages<br>
> >>>>> like
this:<br>
> >>>>>
NSMMReplicationPlugin - changelog program -<br>
> >>>>>
_cl5WriteOperationTxn: failed to write entry<br>
> >>>>> with
csn (XXXXXXX); db error - -30994<br>
> >>>>>
DB_LOCK_DEADLOCK: Locker killed to resolve a<br>
> >>>>>
deadlock<br>
> >>>>> This
is caused by a deadlock between the<br>
> >>>>>
changelog readers, writers, and main database<br>
> >>>>>
writers.<br>
> >>>>><br>
> >>>>>
Consequence: Update operations will fail with<br>
> >>>>> the
above error message in the directory<br>
> server<br>
> >>>>> errors
log.<br>
> >>>>><br>
> >>>>> Fix: A
new configuration parameter is<br>
> introduced:<br>
> >>>>> dn:
cn=config,cn=ldbm<br>
> database,cn=plugins,cn=config<br>
> >>>>>
nsslapd-db-deadlock-policy: 9<br>
> >>>>><br>
> >>>>> With
the default policy 9 (DB_LOCK_YOUNGEST),<br>
> >>>>> the
last locker gets killed when there is a<br>
> >>>>>
deadlock. In the case that this is the<br>
> >>>>>
changelog writer, the write will fail, and the<br>
> >>>>> entire
update will fail.<br>
> >>>>><br>
> >>>>> Users
who frequently see the above errors in<br>
> >>>>> the
errors log are advised to change this<br>
> >>>>>
setting to 6 (DB_LOCK_MINWRITE) will which<br>
> >>>>>
instead kill the locker that has the fewest<br>
> >>>>> write
locks (that is, the changelog reader).<br>
> >>>>> The
changelog reader code has been changed to<br>
> >>>>> handle
this deadlock condition and retry. The<br>
> >>>>>
setting can be changed like this:<br>
> >>>>><br>
> >>>>>
ldapmodify -x -D "cn=directory manager" -W<br>
> <<EOF<br>
> >>>>> dn:
cn=config,cn=ldbm<br>
> database,cn=plugins,cn=config<br>
> >>>>>
changetype: modify<br>
> >>>>>
replace: nsslapd-db-deadlock-policy<br>
> >>>>>
nsslapd-db-deadlock-policy: 6<br>
> >>>>> EOF<br>
> >>>>><br>
> >>>>> You
may ask why the default is not changed to<br>
> >>>>> 6.
The answer is that the setting will apply<br>
> >>>>> to
_all_ threads, so that changing this<br>
> setting<br>
> >>>>> could
cause regular search requests to<br>
> fail, if<br>
> >>>>> the
directory server is under a heavy update<br>
> >>>>> load.
In our testing, we did not see this<br>
> >>>>>
happen, but we cannot guarantee that changing<br>
> >>>>> this
value to 6 will not impact regular search<br>
> >>>>>
requests.<br>
> >>>>><br>
> >>>>>
Result: After changing<br>
> >>>>>
nsslapd-db-deadlock-policy to 6, updates will<br>
> >>>>>
succeed and no longer cause errors like<br>
> the above.<br>
> >>>>><br>
> >>>>><br>
> >>>>>><br>
> >>>>>><br>
> >>>>>>
2014-07-10 10:40 GMT+08:00 Rich Megginson<br>
> >>>>>>
<<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>
</div>
> >>>>>>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
<div class="">> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
> >>>>>><br>
> >>>>>>
On 07/09/2014 08:36 PM,<br>
> <a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div>
<div class="">> >>>>>>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>
wrote:<br>
</div>
<div>
<div class="h5">> >>>>>>>
Hi :<br>
> >>>>>>><br>
> >>>>>>>
What is the procedure for this minor<br>
> update ?<br>
> >>>>>>><br>
> >>>>>>>
just yum update ipa-server after<br>
> stop the<br>
> >>>>>>>
server?<br>
> >>>>>><br>
> >>>>>>
If you just want to upgrade only the LDAP<br>
> >>>>>>
server, which is the component that I for<br>
> >>>>>>
sure know is out of date, then yum update<br>
> >>>>>>
389-ds-base.<br>
> >>>>>><br>
> >>>>>>
Or just "yum update" - in general I don't<br>
> >>>>>>
like running "franken-systems" which have<br>
> >>>>>>
a mix of up-to-date and out of date<br>
> >>>>>>
packages. Note that "IPA server" is<br>
> >>>>>>
composed of several packages.<br>
> >>>>>><br>
> >>>>>>
You do not need to stop the server.<br>
> >>>>>>
yum/rpm upgrade will restart as needed.<br>
> >>>>>>
If you want to make sure, do ipactl<br>
> >>>>>>
restart after upgrade.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>>>
and effect of the exsitn ldap?<br>
> >>>>>><br>
> >>>>>>
Not sure what you mean. Upgrade should<br>
> >>>>>>
not touch any config or data.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>>><br>
> >>>>>>>
As the server 2 is master of replica<br>
> also<br>
> >>>>>>>
, so need refo ipa-replica install ?<br>
> >>>>>><br>
> >>>>>>
No, you just need to perform the same<br>
> >>>>>>
upgrade procedure.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>>><br>
> >>>>>>>
barry<br>
> >>>>>>><br>
> >>>>>>><br>
> >>>>>>>
2014-07-09 22:20 GMT+08:00 Rich<br>
> Megginson<br>
> >>>>>>>
<<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>
</div>
> >>>>>>>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
<div class="">> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
> >>>>>>><br>
> >>>>>>>
On 07/08/2014 09:02 PM,<br>
> >>>>>>>
<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div>
<div class="">> >>>>>>>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>
wrote:<br>
</div>
<div>
<div class="h5">> >>>>>>>>
Some error i found :<br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>>
<a moz-do-not-send="true"
href="http://server1.abc.com:636" target="_blank">server1.abc.com:636</a><br>
> <<a moz-do-not-send="true"
href="http://server1.abc.com:636" target="_blank">http://server1.abc.com:636</a>><br>
> >>>>>>>>
<<a moz-do-not-send="true"
href="http://server1.abc.com:636" target="_blank">http://server1.abc.com:636</a>><br>
> >>>>>>>>
(/etc/dirsrv/slapd-abc-COM)<br>
> >>>>>>>><br>
> >>>>>>>>
[29/Jun/2014:02:00:56 +0800] -<br>
> >>>>>>>>
389-Directory/<a moz-do-not-send="true"
href="http://1.2.11.25" target="_blank">1.2.11.25</a><br>
> <<a moz-do-not-send="true"
href="http://1.2.11.25" target="_blank">http://1.2.11.25</a>><br>
> >>>>>>>>
<<a moz-do-not-send="true"
href="http://1.2.11.25" target="_blank">http://1.2.11.25</a>>
B2013.325.1951<br>
> >>>>>>>>
starting up<br>
> >>>>>>>>
[29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>>
attrcrypt - attrcrypt_unwrap_key:<br>
> >>>>>>>>
failed to unwrap key for cipher AES<br>
> >>>>>>>>
[29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>>
attrcrypt - attrcrypt_cipher_init:<br>
> >>>>>>>>
symmetric key failed to unwrap with<br>
> >>>>>>>>
the private key; Cert might have<br>
> >>>>>>>>
been renewed since the key is<br>
> >>>>>>>>
wrapped. To recover the encrypted<br>
> >>>>>>>>
contents, keep the wrapped<br>
> symmetric<br>
> >>>>>>>>
key value.<br>
> >>>>>>>>
[29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>>
attrcrypt - attrcrypt_unwrap_key:<br>
> >>>>>>>>
failed to unwrap key for cipher<br>
> 3DES<br>
> >>>>>>>>
[29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>>
attrcrypt - attrcrypt_cipher_init:<br>
> >>>>>>>>
symmetric key failed to unwrap with<br>
> >>>>>>>>
the private key; Cert might have<br>
> >>>>>>>>
been renewed since the key is<br>
> >>>>>>>>
wrapped. To recover the encrypted<br>
> >>>>>>>>
contents, keep the wrapped<br>
> symmetric<br>
> >>>>>>>>
key value.<br>
> >>>>>>>>
[29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>>
attrcrypt - All prepared<br>
> ciphers are<br>
> >>>>>>>>
not available. Please disable<br>
> >>>>>>>>
attribute encryption.<br>
> >>>>>>>>
[29/Jun/2014:02:00:56 +0800]<br>
> >>>>>>>>
schema-compat-plugin - warning: no<br>
> >>>>>>>>
entries set up under cn=computers,<br>
> >>>>>>>>
cn=compat,dc=abc,dc=com<br>
> >>>>>>>>
[29/Jun/2014:02:00:57 +0800]<br>
> >>>>>>>>
schema-compat-plugin - warning: no<br>
> >>>>>>>>
entries set up under cn=ng,<br>
> >>>>>>>>
cn=compat,dc=abc,dc=com<br>
> >>>>>>>>
[29/Jun/2014:02:00:57 +0800]<br>
> >>>>>>>>
schema-compat-plugin - warning: no<br>
> >>>>>>>>
entries set up under<br>
> >>>>>>>>
ou=sudoers,dc=abc,dc=com<br>
> >>>>>>>>
[29/Jun/2014:02:00:57 +0800] -<br>
> >>>>>>>>
Skipping CoS Definition cn=Password<br>
> >>>>>>>><br>
> Policy,cn=accounts,dc=abc,dc=com--no<br>
> >>>>>>>>
CoS Templates found, which<br>
> should be<br>
> >>>>>>>>
added before the CoS Definition.<br>
> >>>>>>>>
[29/Jun/2014:02:00:57 +0800]<br>
> >>>>>>>>
set_krb5_creds - Could not get<br>
> >>>>>>>>
initial credentials for principal<br>
> >>>>>>>>
[<a class="moz-txt-link-abbreviated" href="mailto:ldap/server1.abc.com@abc.COM">ldap/server1.abc.com@abc.COM</a><br>
> >>>>>>>>
<mailto:<a moz-do-not-send="true"
href="mailto:ldap">ldap</a><br>
</div>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:ldap">ldap</a>>/server1.abc.com@abc.COM>]<br>
<div>
<div class="h5">> >>>>>>>>
in keytab<br>
> >>>>>>>>
[<a class="moz-txt-link-freetext" href="FILE:/etc/dirsrv/ds.keytab">FILE:/etc/dirsrv/ds.keytab</a>]:<br>
> >>>>>>>>
-1765328228 (Cannot contact any KDC<br>
> >>>>>>>>
for requested realm)<br>
> >>>>>>>>
[29/Jun/2014:02:00:58 +0800] -<br>
> >>>>>>>>
Skipping CoS Definition cn=Password<br>
> >>>>>>>><br>
> Policy,cn=accounts,dc=abc,dc=com--no<br>
> >>>>>>>>
CoS Templates found, which<br>
> should be<br>
> >>>>>>>>
added before the CoS Definition.<br>
> >>>>>>>>
[29/Jun/2014:02:00:58 +0800]<br>
> >>>>>>>>
slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>>
Error: could not perform<br>
> interactive<br>
> >>>>>>>>
bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>>
error -2 (Local error) (SASL(-1):<br>
> >>>>>>>>
generic failure: GSSAPI Error:<br>
> >>>>>>>>
Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>>
may provide more information<br>
> >>>>>>>>
(Credentials cache file<br>
> >>>>>>>>
'/tmp/krb5cc_492' not found)) errno<br>
> >>>>>>>>
0 (Success)<br>
> >>>>>>>>
[29/Jun/2014:02:00:58 +0800]<br>
> >>>>>>>>
slapi_ldap_bind - Error: could not<br>
> >>>>>>>>
perform interactive bind for id []<br>
> >>>>>>>>
mech [GSSAPI]: error -2 (Local<br>
> error)<br>
> >>>>>>>>
[29/Jun/2014:02:00:58 +0800]<br>
> >>>>>>>>
NSMMReplicationPlugin -<br>
> >>>>>>>>
agmt="cn=<a moz-do-not-send="true"
href="http://meToserver2.abc.com" target="_blank">meToserver2.abc.com</a><br>
> <<a moz-do-not-send="true"
href="http://meToserver2.abc.com" target="_blank">http://meToserver2.abc.com</a>><br>
> >>>>>>>>
<<a moz-do-not-send="true"
href="http://meToserver2.abc.com" target="_blank">http://meToserver2.abc.com</a>>"<br>
> >>>>>>>>
(server2:389): Replication bind<br>
> with<br>
> >>>>>>>>
GSSAPI auth failed: LDAP error -2<br>
> >>>>>>>>
(Local error) (SASL(-1): generic<br>
> >>>>>>>>
failure: GSSAPI Error: Unspecified<br>
> >>>>>>>>
GSS failure. Minor code may<br>
> provide<br>
> >>>>>>>>
more information (Credentials cache<br>
> >>>>>>>>
file '/tmp/krb5cc_492' not found))<br>
> >>>>>>>>
[29/Jun/2014:02:00:58 +0800] -<br>
> slapd<br>
> >>>>>>>>
started. Listening on All<br>
> >>>>>>>>
Interfaces port 389 for LDAP<br>
> requests<br>
> >>>>>>>>
[29/Jun/2014:02:00:58 +0800] -<br>
> >>>>>>>>
Listening on All Interfaces<br>
> port 636<br>
> >>>>>>>>
for LDAPS requests<br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>>
389-Directory/<a moz-do-not-send="true"
href="http://1.2.11.15" target="_blank">1.2.11.15</a><br>
> <<a moz-do-not-send="true"
href="http://1.2.11.15" target="_blank">http://1.2.11.15</a>><br>
> >>>>>>>>
<<a moz-do-not-send="true"
href="http://1.2.11.15" target="_blank">http://1.2.11.15</a>>
B2013.240.174<br>
> >>>>>>>>
<a moz-do-not-send="true"
href="http://server2.abc.com:636" target="_blank">server2.abc.com:636</a><br>
> <<a moz-do-not-send="true"
href="http://server2.abc.com:636" target="_blank">http://server2.abc.com:636</a>><br>
> >>>>>>>>
<<a moz-do-not-send="true"
href="http://server2.abc.com:636" target="_blank">http://server2.abc.com:636</a>><br>
> >>>>>>>>
(/etc/dirsrv/slapd-abc-COM)<br>
> >>>>>>>><br>
> >>>>>>>>
[30/Jun/2014:12:51:31 +0800]<br>
> >>>>>>>>
slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>>
Error: could not perform<br>
> interactive<br>
> >>>>>>>>
bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>>
error -2 (Local error) (SASL(-1):<br>
> >>>>>>>>
generic failure: GSSAPI Error:<br>
> >>>>>>>>
Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>>
may provide more information<br>
> (Ticket<br>
> >>>>>>>>
expired)) errno 0 (Success)<br>
> >>>>>>>>
[30/Jun/2014:12:51:31 +0800]<br>
> >>>>>>>>
slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>>
Error: could not perform<br>
> interactive<br>
> >>>>>>>>
bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>>
error -2 (Local error) (SASL(-1):<br>
> >>>>>>>>
generic failure: GSSAPI Error:<br>
> >>>>>>>>
Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>>
may provide more information<br>
> (Ticket<br>
> >>>>>>>>
expired)) errno 0 (Success)<br>
> >>>>>>>>
[30/Jun/2014:12:51:31 +0800]<br>
> >>>>>>>>
slapi_ldap_bind - Error: could not<br>
> >>>>>>>>
perform interactive bind for id []<br>
> >>>>>>>>
mech [GSSAPI]: error -2 (Local<br>
> error)<br>
> >>>>>>>>
[30/Jun/2014:12:51:31 +0800]<br>
> >>>>>>>>
NSMMReplicationPlugin -<br>
> >>>>>>>>
agmt="cn=<a moz-do-not-send="true"
href="http://meToserver1.abc.com" target="_blank">meToserver1.abc.com</a><br>
> <<a moz-do-not-send="true"
href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>><br>
> >>>>>>>>
<<a moz-do-not-send="true"
href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>>"<br>
> >>>>>>>>
(server1:389): Replication bind<br>
> with<br>
> >>>>>>>>
GSSAPI auth failed: LDAP error -2<br>
> >>>>>>>>
(Local error) (SASL(-1): generic<br>
> >>>>>>>>
failure: GSSAPI Error: Unspecified<br>
> >>>>>>>>
GSS failure. Minor code may<br>
> provide<br>
> >>>>>>>>
more information (Ticket expired))<br>
> >>>>>>>>
[30/Jun/2014:12:51:34 +0800]<br>
> >>>>>>>>
slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>>
Error: could not perform<br>
> interactive<br>
> >>>>>>>>
bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>>
error -2 (Local error) (SASL(-1):<br>
> >>>>>>>>
generic failure: GSSAPI Error:<br>
> >>>>>>>>
Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>>
may provide more information<br>
> (Ticket<br>
> >>>>>>>>
expired)) errno 0 (Success)<br>
> >>>>>>>>
[30/Jun/2014:12:51:35 +0800]<br>
> >>>>>>>>
slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>>
Error: could not perform<br>
> interactive<br>
> >>>>>>>>
bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>>
error -2 (Local error) (SASL(-1):<br>
> >>>>>>>>
generic failure: GSSAPI Error:<br>
> >>>>>>>>
Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>>
may provide more information<br>
> (Ticket<br>
> >>>>>>>>
expired)) errno 0 (Success)<br>
> >>>>>>>>
[30/Jun/2014:12:51:35 +0800]<br>
> >>>>>>>>
slapi_ldap_bind - Error: could not<br>
> >>>>>>>>
perform interactive bind for id []<br>
> >>>>>>>>
mech [GSSAPI]: error -2 (Local<br>
> error)<br>
> >>>>>>>>
[30/Jun/2014:12:51:40 +0800]<br>
> >>>>>>>>
slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>>
Error: could not perform<br>
> interactive<br>
> >>>>>>>>
bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>>
error -2 (Local error) (SASL(-1):<br>
> >>>>>>>>
generic failure: GSSAPI Error:<br>
> >>>>>>>>
Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>>
may provide more information<br>
> (Ticket<br>
> >>>>>>>>
expired)) errno 0 (Success)<br>
> >>>>>>>>
[30/Jun/2014:12:51:40 +0800]<br>
> >>>>>>>>
slapd_ldap_sasl_interactive_bind -<br>
> >>>>>>>>
Error: could not perform<br>
> interactive<br>
> >>>>>>>>
bind for id [] mech [GSSAPI]: LDAP<br>
> >>>>>>>>
error -2 (Local error) (SASL(-1):<br>
> >>>>>>>>
generic failure: GSSAPI Error:<br>
> >>>>>>>>
Unspecified GSS failure. Minor<br>
> code<br>
> >>>>>>>>
may provide more information<br>
> (Ticket<br>
> >>>>>>>>
expired)) errno 0 (Success)<br>
> >>>>>>>>
[30/Jun/2014:12:51:40 +0800]<br>
> >>>>>>>>
slapi_ldap_bind - Error: could not<br>
> >>>>>>>>
perform interactive bind for id []<br>
> >>>>>>>>
mech [GSSAPI]: error -2 (Local<br>
> error)<br>
> >>>>>>>>
[30/Jun/2014:12:51:52 +0800]<br>
> >>>>>>>>
NSMMReplicationPlugin -<br>
> >>>>>>>>
agmt="cn=<a moz-do-not-send="true"
href="http://meToserver1.abc.com" target="_blank">meToserver1.abc.com</a><br>
> <<a moz-do-not-send="true"
href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>><br>
> >>>>>>>>
<<a moz-do-not-send="true"
href="http://meToserver1.abc.com" target="_blank">http://meToserver1.abc.com</a>>"<br>
> >>>>>>>>
(server1:389): Replication bind<br>
> with<br>
> >>>>>>>>
GSSAPI auth resumed<br>
> >>>>>>>><br>
> >>>>>>><br>
> >>>>>>>
You are using an older version of<br>
> >>>>>>>
389. The version on server2 is<br>
> older<br>
> >>>>>>>
than the version on server1.<br>
> Can you<br>
> >>>>>>>
upgrade and see if that fixes your<br>
> >>>>>>>
problems? Even if it doesn't fix<br>
> >>>>>>>
your problems, it will be much<br>
> easier<br>
> >>>>>>>
for us to support.<br>
> >>>>>>><br>
> >>>>>>><br>
> >>>>>>>><br>
> >>>>>>>>
2014-07-09 10:55 GMT+08:00<br>
> >>>>>>>>
<<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
</div>
</div>
> >>>>>>>>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
<div class="">> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>:<br>
> >>>>>>>><br>
> >>>>>>>>
FYI..<br>
> >>>>>>>>
160: [04/Jul/2014:12:35:30<br>
> >>>>>>>>
+0800] conn=936207 fd=73<br>
> slot=73<br>
> >>>>>>>>
connection from 192.168.156.89<br>
> >>>>>>>>
to 192.168.156.89<br>
> >>>>>>>>
163: [04/Jul/2014:12:35:30<br>
> >>>>>>>>
+0800] conn=936207 op=-1 fd=73<br>
> >>>>>>>>
closed - B1<br>
> >>>>>>>><br>
> >>>>>>>>
There is not abt binding but i<br>
> >>>>>>>>
unsure how to fix ..<br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>>
2014-07-09 2:01 GMT+08:00 Rich<br>
> >>>>>>>>
Megginson<br>
> <<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
</div>
> >>>>>>>>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
<div class="">> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
> >>>>>>>><br>
> >>>>>>>>
On 07/08/2014 02:16 AM,<br>
> >>>>>>>>
<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>><br>
</div>
<div class="">> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>
wrote:<br>
</div>
<div>
<div class="h5">>
>>>>>>>>>
Resent as size limit.<br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>>
Here u are server1 's<br>
> >>>>>>>>>
access log seem one<br>
> side broken<br>
> >>>>>>>>><br>
> >>>>>>>>>
the problem is how to make<br>
> >>>>>>>>>
it replicate again.<br>
> >>>>>>>>><br>
> >>>>>>>>>
At server 1<br>
> >>>>>>>>><br>
> >>>>>>>>>
it is ok master server1<br>
> >>>>>>>>>
master server2<br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>>
Another side server 2<br>
> >>>>>>>>>
contains 2 ip replication.<br>
> >>>>>>>>><br>
> >>>>>>>>>
ipa-replica-manage list<br>
> >>>>>>>>>
shown Can't contact<br>
> LDAP server<br>
> >>>>>>>>><br>
> >>>>>>>>>
I dont know why but the<br>
> >>>>>>>>>
prolematic server is sever<br>
> >>>>>>>>>
2 not server 1<br>
> >>>>>>>>><br>
> >>>>>>>>>
log of server2<br>
> >>>>>>>>>
[08/Jul/2014:16:02:40<br>
> >>>>>>>>>
+0800] conn=3299731 fd=69<br>
> >>>>>>>>>
slot=69 connection from<br>
> >>>>>>>>>
192.168.15.89 (server1) to<br>
> >>>>>>>>>
192.168.15.88(server2)<br>
> >>>>>>>>>
[08/Jul/2014:16:02:40<br>
> >>>>>>>>>
+0800] conn=3299731 op=-1<br>
> >>>>>>>>>
fd=69 closed - B1<br>
> >>>>>>>>>
[08/Jul/2014:16:02:40<br>
> >>>>>>>>>
+0800] conn=3299732 fd=69<br>
> >>>>>>>>>
slot=69 connection from<br>
> >>>>>>>>>
192.168.15.89 to<br>
> 192.168.15.88<br>
> >>>>>>>>>
[08/Jul/2014:16:02:40<br>
> >>>>>>>>>
+0800] conn=3299732 op=-1<br>
> >>>>>>>>>
fd=69 closed - B1<br>
> >>>>>>>>>
[08/Jul/2014:16:02:41<br>
> >>>>>>>>>
+0800] conn=3299733 fd=69<br>
> >>>>>>>>>
slot=69 connection from<br>
> >>>>>>>>>
192.168.15.89 to<br>
> 192.168.15.88<br>
> >>>>>>>>>
[08/Jul/2014:16:02:41<br>
> >>>>>>>>>
+0800] conn=3299733 op=-1<br>
> >>>>>>>>>
fd=69 closed - B1<br>
> >>>>>>>><br>
> >>>>>>>>
You never answered my<br>
> >>>>>>>>
question below. "Are you<br>
> >>>>>>>>
sure that this<br>
> connection is<br>
> >>>>>>>>
a replication session? Can<br>
> >>>>>>>>
you post all of the<br>
> >>>>>>>>
operations from the access<br>
> >>>>>>>>
log from conn=936207?"<br>
> >>>>>>>><br>
> >>>>>>>>
In the future, please avoid<br>
> >>>>>>>>
spamming the list with<br>
> large<br>
> >>>>>>>>
log files. In general,<br>
> it's<br>
> >>>>>>>>
better to provide excerpts<br>
> >>>>>>>>
from the log files showing<br>
> >>>>>>>>
the problem, paste them to<br>
> >>>>>>>>
<a moz-do-not-send="true"
href="http://fpaste.org" target="_blank">fpaste.org</a><br>
> <<a moz-do-not-send="true"
href="http://fpaste.org" target="_blank">http://fpaste.org</a>><br>
> >>>>>>>>
<<a moz-do-not-send="true"
href="http://fpaste.org" target="_blank">http://fpaste.org</a>>,
and<br>
> >>>>>>>>
post the link to the<br>
> mailing<br>
> >>>>>>>>
list. If for some reason<br>
> >>>>>>>>
you need to post a large<br>
> >>>>>>>>
file, please use a file<br>
> >>>>>>>>
sharing service and<br>
> post the<br>
> >>>>>>>>
link to the file.<br>
> >>>>>>>><br>
> >>>>>>>>
Can you take a look at your<br>
> >>>>>>>>
errors log from server<br>
> 1 and<br>
> >>>>>>>>
server 2 and see if there<br>
> >>>>>>>>
are any relevant errors?<br>
> >>>>>>>><br>
> >>>>>>>>
If I had to guess, I would<br>
> >>>>>>>>
say that there is some sort<br>
> >>>>>>>>
of network error between<br>
> >>>>>>>>
server 1 and server 2 that<br>
> >>>>>>>>
causes the excessive closed<br>
> >>>>>>>>
- B1. Perhaps there<br>
> will be<br>
> >>>>>>>>
more information in the<br>
> >>>>>>>>
errors log.<br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>>
2014-07-07 22:21 GMT+08:00<br>
> >>>>>>>>>
Rich Megginson<br>
> >>>>>>>>>
<<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><br>
> >>>>>>>>><br>
</div>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>>:<br>
<div class="">> >>>>>>>>><br>
> >>>>>>>>>
On 07/04/2014<br>
> 03:28 AM,<br>
> >>>>>>>>>
<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>><br>
</div>
<div class="">> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>
wrote:<br>
</div>
<div>
<div class="h5">>
>>>>>>>>>>
FOUND something<br>
> >>>>>>>>>>
strange that server 1<br>
> >>>>>>>>>>
replicate to itself<br>
> >>>>>>>>>>
rather than server2<br>
> >>>>>>>>>><br>
> >>>>>>>>>>
Server1 access<br>
> log > Wrong<br>
> >>>>>>>>>>
[04/Jul/2014:12:35:30<br>
> >>>>>>>>>>
+0800] conn=936207<br>
> >>>>>>>>>>
fd=73 slot=73<br>
> >>>>>>>>>>
connection from<br>
> >>>>>>>>>>
192.168.15.89(<br>
> server1<br>
> >>>>>>>>>>
) to 192.168.15.89<br>
> >>>>>>>>>>
(server1)<br>
> >>>>>>>>><br>
> >>>>>>>>>
Are you sure that this<br>
> >>>>>>>>>
connection is a<br>
> >>>>>>>>>
replication session?<br>
> >>>>>>>>>
Can you post all<br>
> of the<br>
> >>>>>>>>>
operations from the<br>
> >>>>>>>>>
access log from<br>
> >>>>>>>>>
conn=936207?<br>
> >>>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>>
Server 2 access<br>
> log > OK<br>
> >>>>>>>>>>
[04/Jul/2014:12:35:30<br>
> >>>>>>>>>>
+0800] conn=936208<br>
> >>>>>>>>>>
fd=74 slot=74<br>
> >>>>>>>>>>
connection from<br>
> >>>>>>>>>><br>
> 192.168.15.89(server2)<br>
> >>>>>>>>>>
to 192.168.15.88<br>
> (server2)<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>>
2014-07-04 9:25<br>
> >>>>>>>>>>
GMT+08:00<br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
</div>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>:<br>
<div>
<div class="h5">>
>>>>>>>>>><br>
> >>>>>>>>>>
Just sure now one<br>
> >>>>>>>>>>
side flow is<br>
> >>>>>>>>>>
broken, if u<br>
> >>>>>>>>>>
update server1 ,<br>
> >>>>>>>>>>
it 100% work<br>
> >>>>>>>>>>
server2 will<br>
> upgrade.<br>
> >>>>>>>>>>
but if u update<br>
> >>>>>>>>>>
server2 there is<br>
> >>>>>>>>>>
chance<br>
> non-syn e.g<br>
> >>>>>>>>>>
it create<br>
> username<br>
> >>>>>>>>>>
in server1 with<br>
> >>>>>>>>>>
posfix grp >ok<br>
> >>>>>>>>>>
but in server2 it<br>
> >>>>>>>>>>
only created<br>
> >>>>>>>>>>
posfix grp but no<br>
> >>>>>>>>>>
username<br>
> >>>>>>>>>>
/attribute it<br>
> >>>>>>>>>>
occur serveral<br>
> >>>>>>>>>>
times. I have to<br>
> >>>>>>>>>>
use command line<br>
> >>>>>>>>>>
grp del<br>
> ...etc. to<br>
> >>>>>>>>>>
force del<br>
> them and<br>
> >>>>>>>>>>
recreate them.,.<br>
> >>>>>>>>>><br>
> >>>>>>>>>>
Result below:<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> <a moz-do-not-send="true"
href="http://server2.abc.com" target="_blank">server2.abc.com</a>
<<a moz-do-not-send="true"
href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://server2.abc.com" target="_blank">http://server2.abc.com</a>>:<br>
> >>>>>>>>>>
replica<br>
> >>>>>>>>>>
last init<br>
> >>>>>>>>>>
status: None<br>
> >>>>>>>>>>
last init<br>
> ended:<br>
> >>>>>>>>>>
None<br>
> >>>>>>>>>>
last update<br>
> >>>>>>>>>>
status: 0 Replica<br>
> >>>>>>>>>>
acquired<br>
> >>>>>>>>>>
successfully:<br>
> >>>>>>>>>>
Incremental<br>
> update<br>
> >>>>>>>>>>
succeeded<br>
> >>>>>>>>>>
last update<br>
> >>>>>>>>>>
ended: 2014-07-04<br>
> >>>>>>>>>>
00:33:18+00:00<br>
> >>>>>>>>>><br>
> >>>>>>>>>>
Directory Manager<br>
> >>>>>>>>>>
password:<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> <a moz-do-not-send="true"
href="http://server1.abc.com" target="_blank">server1.abc.com</a>
<<a moz-do-not-send="true"
href="http://server1.abc.com" target="_blank">http://server1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://server1.abc.com" target="_blank">http://server1.abc.com</a>>:<br>
> >>>>>>>>>>
replica<br>
> >>>>>>>>>>
last init<br>
> >>>>>>>>>>
status: 0 Total<br>
> >>>>>>>>>>
update succeeded<br>
> >>>>>>>>>>
last init<br>
> ended:<br>
> >>>>>>>>>>
2014-06-20<br>
> >>>>>>>>>>
10:07:02+00:00<br>
> >>>>>>>>>>
last update<br>
> >>>>>>>>>>
status: 0 Replica<br>
> >>>>>>>>>>
acquired<br>
> >>>>>>>>>>
successfully:<br>
> >>>>>>>>>>
Incremental<br>
> update<br>
> >>>>>>>>>>
succeeded<br>
> >>>>>>>>>>
last update<br>
> >>>>>>>>>>
ended: 2014-07-04<br>
> >>>>>>>>>>
01:14:19+00:00<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> [root@(LIVE)server2 ~]$<br>
> >>>>>>>>>>
ipactl status<br>
> >>>>>>>>>>
Directory<br>
> Service:<br>
> >>>>>>>>>>
RUNNING<br>
> >>>>>>>>>>
KDC Service:<br>
> RUNNING<br>
> >>>>>>>>>>
KPASSWD Service:<br>
> >>>>>>>>>>
RUNNING<br>
> >>>>>>>>>>
MEMCACHE Service:<br>
> >>>>>>>>>>
RUNNING<br>
> >>>>>>>>>>
HTTP Service:<br>
> RUNNING<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>>
2014-07-04 1:34<br>
> >>>>>>>>>>
GMT+08:00 Rob<br>
> >>>>>>>>>>
Crittenden<br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
</div>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>:<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> <a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
<div class="">> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>>
wrote:<br>
</div>
<div>
<div class="h5">>
>>>>>>>>>>
> Yes<br>
> they are<br>
> >>>>>>>>>>
running.<br>
> >>>>>>>>>>
Server 1 can<br>
> >>>>>>>>>>
syn to<br>
> server2<br>
> >>>>>>>>>>
but error at<br>
> >>>>>>>>>>
server 2<br>
> >>>>>>>>>>
> like
this.<br>
> >>>>>>>>>><br>
> >>>>>>>>>>
How do you<br>
> >>>>>>>>>>
know server 1<br>
> >>>>>>>>>>
is syncing<br>
> >>>>>>>>>>
with<br>
> server 2?<br>
> >>>>>>>>>><br>
> >>>>>>>>>>
On server 1<br>
> >>>>>>>>>>
I'd run:<br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> ipa-replica-manage<br>
> >>>>>>>>>>
list -v<br>
> `hostname`<br>
> >>>>>>>>>><br>
> >>>>>>>>>>
This will<br>
> show<br>
> >>>>>>>>>>
the<br>
> >>>>>>>>>>
replication<br>
> >>>>>>>>>>
status.<br>
> >>>>>>>>>><br>
> >>>>>>>>>>
And what does<br>
> >>>>>>>>>>
ipactl status<br>
> >>>>>>>>>>
show on<br>
> server 2?<br>
> >>>>>>>>>><br>
> >>>>>>>>>>
rob<br>
> >>>>>>>>>><br>
> >>>>>>>>>>
><br>
> >>>>>>>>>>
> 2014/7/3
下<br>
> >>>>>>>>>>
午10:14 於<br>
> >>>>>>>>>>
"Rob<br>
> >>>>>>>>>>
Crittenden"<br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
</div>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>><br>
<div class="">>
>>>>>>>>>>
寫道:<br>
> >>>>>>>>>>
><br>
> >>>>>>>>>>
> Please<br>
> >>>>>>>>>>
keep<br>
> relies on<br>
> >>>>>>>>>>
the list.<br>
> >>>>>>>>>>
><br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
> <a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>><br>
</div>
<div>
<div class="h5">> <mailto:<a
moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>><br>
> >>>>>>>>>>
wrote:<br>
> >>>>>>>>>>
> >
I saw<br>
> >>>>>>>>>>
the error<br>
> >>>>>>>>>>
beloe and<br>
> >>>>>>>>>>
errpr log is<br>
> >>>>>>>>>>
it related ?<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> 29/Jun/2014:02:00:58<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>>
- Error:<br>
> >>>>>>>>>>
> >
could<br>
> >>>>>>>>>>
not perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
LDAP error<br>
> >>>>>>>>>>
> >
-2<br>
> >>>>>>>>>>
(Local error)<br>
> >>>>>>>>>>
(SASL(-1):<br>
> >>>>>>>>>>
generic<br>
> >>>>>>>>>>
failure:<br>
> >>>>>>>>>>
GSSAPI Error:<br>
> >>>>>>>>>>
Unspecified<br>
> >>>>>>>>>>
> >
GSS<br>
> >>>>>>>>>>
failure.<br>
> >>>>>>>>>>
Minor code<br>
> >>>>>>>>>>
may provide<br>
> >>>>>>>>>>
more<br>
> >>>>>>>>>>
information<br>
> >>>>>>>>>>
(Credentials<br>
> >>>>>>>>>>
> cache<br>
> >>>>>>>>>>
> >
file<br>
> >>>>>>>>>><br>
> '/tmp/krb5cc_492'<br>
> >>>>>>>>>>
not found))<br>
> >>>>>>>>>>
errno 0<br>
> (Success)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [29/Jun/2014:02:00:58<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapi_ldap_bind -<br>
> >>>>>>>>>>
Error:<br>
> could not<br>
> >>>>>>>>>>
>
perform<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
error -2<br>
> >>>>>>>>>>
(Local error)<br>
> >>>>>>>>>>
><br>
> >>>>>>>>>>
> I<br>
> >>>>>>>>>>
believe this<br>
> >>>>>>>>>>
is fairly<br>
> >>>>>>>>>>
normal on a<br>
> >>>>>>>>>>
new startup.<br>
> >>>>>>>>>>
It has to<br>
> start<br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
> somewhere. The<br>
> >>>>>>>>>>
expired<br>
> ticket<br>
> >>>>>>>>>>
errors below<br>
> >>>>>>>>>>
are<br>
> unexpected<br>
> >>>>>>>>>>
since there<br>
> >>>>>>>>>>
> are
so<br>
> >>>>>>>>>>
many of them.<br>
> >>>>>>>>>>
Is your KDC<br>
> >>>>>>>>>>
running?<br>
> >>>>>>>>>>
><br>
> >>>>>>>>>>
>
ipactl<br>
> >>>>>>>>>>
status<br>
> >>>>>>>>>>
><br>
> >>>>>>>>>>
> rob<br>
> >>>>>>>>>>
><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
2014-07-02<br>
> >>>>>>>>>>
14:15<br>
> >>>>>>>>>>
GMT+08:00<br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
</div>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>>>:<br>
<div>
<div class="h5">>
>>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
this is the<br>
> >>>>>>>>>>
error log i<br>
> >>>>>>>>>>
found at<br>
> >>>>>>>>>>
<a
moz-do-not-send="true" href="http://2.abc.com"
target="_blank">2.abc.com</a><br>
> <<a moz-do-not-send="true"
href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:31<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>>
-<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error: could<br>
> >>>>>>>>>>
not perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
LDAP error -2<br>
> >>>>>>>>>>
(Local error)<br>
> >>>>>>>>>>
(SASL(-1):<br>
> >>>>>>>>>>
generic<br>
> >>>>>>>>>>
failure:<br>
> GSSAPI<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error:<br>
> >>>>>>>>>>
Unspecified<br>
> >>>>>>>>>>
GSS failure.<br>
> >>>>>>>>>>
Minor code<br>
> >>>>>>>>>>
may<br>
> provide more<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
information<br>
> >>>>>>>>>>
(Ticket<br>
> >>>>>>>>>>
expired))<br>
> >>>>>>>>>>
errno 0<br>
> (Success)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:31<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>>
-<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error: could<br>
> >>>>>>>>>>
not perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
LDAP error -2<br>
> >>>>>>>>>>
(Local error)<br>
> >>>>>>>>>>
(SASL(-1):<br>
> >>>>>>>>>>
generic<br>
> >>>>>>>>>>
failure:<br>
> GSSAPI<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error:<br>
> >>>>>>>>>>
Unspecified<br>
> >>>>>>>>>>
GSS failure.<br>
> >>>>>>>>>>
Minor code<br>
> >>>>>>>>>>
may<br>
> provide more<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
information<br>
> >>>>>>>>>>
(Ticket<br>
> >>>>>>>>>>
expired))<br>
> >>>>>>>>>>
errno 0<br>
> (Success)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:31<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapi_ldap_bind -<br>
> >>>>>>>>>>
Error:<br>
> could not<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
error -2<br>
> >>>>>>>>>>
>
(Local<br>
> >>>>>>>>>>
error)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:31<br>
</div>
</div>
<div class="">>
>>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> NSMMReplicationPlugin<br>
> >>>>>>>>>>
-<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> agmt="cn=<a moz-do-not-send="true"
href="http://meTo1.abc.com" target="_blank">meTo1.abc.com</a>
<<a moz-do-not-send="true" href="http://meTo1.abc.com"
target="_blank">http://meTo1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>><br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
</div>
> <<a moz-do-not-send="true"
href="http://meTo1.abc.com" target="_blank">http://meTo1.abc.com</a>>"<br>
<div class="">>
>>>>>>>>>><br>
> (central:389):<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Replication<br>
> >>>>>>>>>>
bind with<br>
> >>>>>>>>>>
GSSAPI auth<br>
> >>>>>>>>>>
failed: LDAP<br>
> >>>>>>>>>>
error -2<br>
> (Local<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
error)<br>
> >>>>>>>>>>
(SASL(-1):<br>
> >>>>>>>>>>
generic<br>
> >>>>>>>>>>
failure:<br>
> >>>>>>>>>>
GSSAPI Error:<br>
> >>>>>>>>>><br>
> Unspecified GSS<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
failure.<br>
> >>>>>>>>>>
Minor code<br>
> >>>>>>>>>>
may provide<br>
> >>>>>>>>>>
more<br>
> >>>>>>>>>>
information<br>
</div>
<div>
<div class="h5">>
>>>>>>>>>>
(Ticket<br>
> >>>>>>>>>>
><br>
> expired))<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:34<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>>
-<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error: could<br>
> >>>>>>>>>>
not perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
LDAP error -2<br>
> >>>>>>>>>>
(Local error)<br>
> >>>>>>>>>>
(SASL(-1):<br>
> >>>>>>>>>>
generic<br>
> >>>>>>>>>>
failure:<br>
> GSSAPI<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error:<br>
> >>>>>>>>>>
Unspecified<br>
> >>>>>>>>>>
GSS failure.<br>
> >>>>>>>>>>
Minor code<br>
> >>>>>>>>>>
may<br>
> provide more<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
information<br>
> >>>>>>>>>>
(Ticket<br>
> >>>>>>>>>>
expired))<br>
> >>>>>>>>>>
errno 0<br>
> (Success)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:35<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>>
-<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error: could<br>
> >>>>>>>>>>
not perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
LDAP error -2<br>
> >>>>>>>>>>
(Local error)<br>
> >>>>>>>>>>
(SASL(-1):<br>
> >>>>>>>>>>
generic<br>
> >>>>>>>>>>
failure:<br>
> GSSAPI<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error:<br>
> >>>>>>>>>>
Unspecified<br>
> >>>>>>>>>>
GSS failure.<br>
> >>>>>>>>>>
Minor code<br>
> >>>>>>>>>>
may<br>
> provide more<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
information<br>
> >>>>>>>>>>
(Ticket<br>
> >>>>>>>>>>
expired))<br>
> >>>>>>>>>>
errno 0<br>
> (Success)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:35<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapi_ldap_bind -<br>
> >>>>>>>>>>
Error:<br>
> could not<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
error -2<br>
> >>>>>>>>>>
>
(Local<br>
> >>>>>>>>>>
error)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:40<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>>
-<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error: could<br>
> >>>>>>>>>>
not perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
LDAP error -2<br>
> >>>>>>>>>>
(Local error)<br>
> >>>>>>>>>>
(SASL(-1):<br>
> >>>>>>>>>>
generic<br>
> >>>>>>>>>>
failure:<br>
> GSSAPI<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error:<br>
> >>>>>>>>>>
Unspecified<br>
> >>>>>>>>>>
GSS failure.<br>
> >>>>>>>>>>
Minor code<br>
> >>>>>>>>>>
may<br>
> provide more<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
information<br>
> >>>>>>>>>>
(Ticket<br>
> >>>>>>>>>>
expired))<br>
> >>>>>>>>>>
errno 0<br>
> (Success)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:40<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapd_ldap_sasl_interactive_bind<br>
> >>>>>>>>>>
-<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error: could<br>
> >>>>>>>>>>
not perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
LDAP error -2<br>
> >>>>>>>>>>
(Local error)<br>
> >>>>>>>>>>
(SASL(-1):<br>
> >>>>>>>>>>
generic<br>
> >>>>>>>>>>
failure:<br>
> GSSAPI<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Error:<br>
> >>>>>>>>>>
Unspecified<br>
> >>>>>>>>>>
GSS failure.<br>
> >>>>>>>>>>
Minor code<br>
> >>>>>>>>>>
may<br>
> provide more<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
information<br>
> >>>>>>>>>>
(Ticket<br>
> >>>>>>>>>>
expired))<br>
> >>>>>>>>>>
errno 0<br>
> (Success)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> [30/Jun/2014:12:51:40<br>
> >>>>>>>>>>
+0800]<br>
> >>>>>>>>>><br>
> slapi_ldap_bind -<br>
> >>>>>>>>>>
Error:<br>
> could not<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
perform<br>
> >>>>>>>>>>
interactive<br>
> >>>>>>>>>>
bind for<br>
> id []<br>
> >>>>>>>>>>
mech<br>
> [GSSAPI]:<br>
> >>>>>>>>>>
error -2<br>
> >>>>>>>>>>
>
(Local<br>
> >>>>>>>>>>
error)<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
</div>
</div>
> >>>>>>>>>>
2014-07-02<br>
> >>>>>>>>>>
12:32<br>
<div class="">>
>>>>>>>>>>
GMT+08:00<br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>><br>
> >>>>>>>>>><br>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>>>>>>:<br>
<div class="">>
>>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
yes on node<br>
> >>>>>>>>>>
1 it is<br>
> >>>>>>>>>>
happening<br>
> only<br>
> >>>>>>>>>>
node2<br>
> fail connect<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> ipa-replica-manage<br>
> >>>>>>>>>>
list<br>
</div>
<div class="">> <a moz-do-not-send="true"
href="http://2.abc.com" target="_blank">2.abc.com</a>
<<a moz-do-not-send="true" href="http://2.abc.com"
target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
</div>
<div class="">> <<a moz-do-not-send="true"
href="http://2.abc.com" target="_blank">http://2.abc.com</a>><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
Directory<br>
> >>>>>>>>>>
Manager<br>
> password:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> <a moz-do-not-send="true"
href="http://1.abc.com" target="_blank">1.abc.com</a>
<<a moz-do-not-send="true" href="http://1.abc.com"
target="_blank">http://1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://1.abc.com" target="_blank">http://1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://1.abc.com" target="_blank">http://1.abc.com</a>><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="http://1.abc.com" target="_blank">http://1.abc.com</a>>:<br>
> >>>>>>>>>>
replica<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
2014-06-30<br>
> >>>>>>>>>>
20:59<br>
</div>
<div class="">>
>>>>>>>>>>
GMT+08:00 Rob<br>
> >>>>>>>>>>
Crittenden<br>
> >>>>>>>>>>
><br>
> >>>>>>>>>><br>
> <<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
<div class="">>
>>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> >>>>>>>>>><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> >>>>>>>>>><br>
<div class="HOEnZb">
<div class="h5">> <mailto:<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>>>:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> Barry wrote:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>>
> Hi:<br>
> >>>>>>>>>>
> ><br>
> >>>>>>>>>><br>
> >>>>> ...<br>
> >>>>><br>
> >>>><br>
> >>>><br>
> >>>><br>
> >>><br>
> >>><br>
> >><br>
> >><br>
> ><br>
> ><br>
> ><br>
><br>
><br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>