<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/07/2014 01:24 AM, Will Sheldon
wrote:<br>
</div>
<blockquote cite="mid:etPan.545c65b2.5bd062c2.144@Drone-3.local"
type="cite">
<style>body{font-family:Helvetica,Arial;font-size:13px}</style>
<div id="bloop_customfont"
style="font-family:Helvetica,Arial;font-size:13px; color:
rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
<div id="bloop_customfont" style="margin: 0px;">On November 6,
2014 at 10:07:54 PM, Dmitri Pal (<a moz-do-not-send="true"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>) wrote:</div>
</div>
<div>
<blockquote type="cite" class="clean_bq" style="color: rgb(0, 0,
0); font-family: Helvetica, Arial; font-size: 13px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;"><span>
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="moz-cite-prefix">On 11/07/2014 12:18 AM,
Will Sheldon wrote:<br>
</div>
<blockquote
cite="mid:etPan.545c5626.7545e146.144@Drone-3.local"
type="cite">
<div id="bloop_customfont" style="font-family:
Helvetica, Arial; font-size: 13px; color: rgb(0, 0,
0); margin: 0px;">
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">Hello
all :)</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">On
the whole we are loving FreeIPA, Many thanks and
much respect to all involved, we’ve had a great
12-18 months hassle free use out of it - it is a
fantastically stable trouble free solution…
however now we’ve run into a small issue we (as
mere mortals) are finding it hard to resolve :-/</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">We
upgraded our ipa servers (3.0.0-42) to Centos 6.6.
everything seems to go well, but one server is
behaving oddly. It’s likely not an IPA issue, it
also reset it’s hostname somehow after the upgrade
(it’s an image in an openstack environment) </div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">If
anyone has any pointers as to how to debug I’d be
hugely appreciative :)</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">Two
servers, server1.domain.com and
server2.domain.com </div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">Server1
can’t push data to server2, there are updates and
new records on server1 that do not exist on
server2.</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">from
the logs on server1:</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">[07/Nov/2014:01:33:42
+0000] NSMMReplicationPlugin -
agmt="cn=meToserver2.domain.com" (server2:389):
Warning: unable to send endReplication extended
operation (Can't contact LDAP server)</div>
<div id="bloop_customfont" style="margin: 0px;">[07/Nov/2014:01:33:47
+0000] NSMMReplicationPlugin -
agmt="cn=meToserver2.domain.com" (server2:389):
Replication bind with GSSAPI auth resumed</div>
<div id="bloop_customfont" style="margin: 0px;">[07/Nov/2014:01:33:48
+0000] NSMMReplicationPlugin -
agmt="cn=meToserver2.domain.com" (server2:389):
Warning: unable to replicate schema: rc=2</div>
<div id="bloop_customfont" style="margin: 0px;">[07/Nov/2014:01:33:48
+0000] NSMMReplicationPlugin -
agmt="cn=meToserver2.domain.com" (server2:389):
Consumer failed to replay change (uniqueid (null),
CSN (null)): Can't contact LDAP server(-1). Will
retry later.</div>
</div>
</blockquote>
<br>
Try to see<br>
a) Server 1 properly resolves server 2<br>
b) You can connect from server 1 to server 2 using
ldapsearch<br>
c) your firewall has proper ports open<br>
d) dirserver on server 2 is actually running</div>
</div>
</span></blockquote>
</div>
<p>All seems working:</p>
<div id="bloop_customfont" style="margin: 0px;">
<div id="bloop_customfont" style="margin: 0px;">[root@server1
~]# ldapsearch -x -H <a class="moz-txt-link-freetext" href="ldap://server2.domain.com">ldap://server2.domain.com</a> -s base -b ''
namingContexts</div>
</div>
</blockquote>
<br>
Can you try kinit admin and then use kerberos GSSAPI to connect,
i.e. -Y switch?<br>
<br>
Did you find anything in the server2 logs?<br>
<br>
<blockquote cite="mid:etPan.545c65b2.5bd062c2.144@Drone-3.local"
type="cite">
<div id="bloop_customfont" style="margin: 0px;">
<div id="bloop_customfont" style="margin: 0px;"># extended LDIF</div>
<div id="bloop_customfont" style="margin: 0px;">#</div>
<div id="bloop_customfont" style="margin: 0px;"># LDAPv3</div>
<div id="bloop_customfont" style="margin: 0px;"># base <>
with scope baseObject</div>
<div id="bloop_customfont" style="margin: 0px;"># filter:
(objectclass=*)</div>
<div id="bloop_customfont" style="margin: 0px;"># requesting:
namingContexts</div>
<div id="bloop_customfont" style="margin: 0px;">#</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">#</div>
<div id="bloop_customfont" style="margin: 0px;">dn:</div>
<div id="bloop_customfont" style="margin: 0px;">namingContexts:
dc=domain,dc=com</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;"># search result</div>
<div id="bloop_customfont" style="margin: 0px;">search: 2</div>
<div id="bloop_customfont" style="margin: 0px;">result: 0
Success</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;"># numResponses:
2</div>
<div id="bloop_customfont" style="margin: 0px;"># numEntries: 1</div>
<div id="bloop_customfont" style="margin: 0px;">[root@server1
~]#</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">And:</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">[root@server2
~]# /etc/init.d/dirsrv status</div>
<div id="bloop_customfont" style="margin: 0px;">dirsrv
DOMAIN-COM (pid 1009) is running...</div>
<div id="bloop_customfont" style="margin: 0px;">dirsrv PKI-IPA
(pid 1083) is running...</div>
<div id="bloop_customfont" style="margin: 0px;">[root@server2
~]#</div>
</div>
<p><br>
</p>
<div id="bloop_sign_1415341413416473856" class="bloop_sign">
<div style="font-family: helvetica, arial;"><br>
</div>
<div style="font-family: helvetica, arial;"> </div>
</div>
<div>
<blockquote type="cite" class="clean_bq" style="color: rgb(0, 0,
0); font-family: Helvetica, Arial; font-size: 13px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;"><span>
<div bgcolor="#FFFFFF" text="#000000">
<div><br>
<br>
Check logs on server 2 to see whether it actually sees
an attempt to connect, I suspect not, so it is most
likely a DNS/FW issue or dir server is not running on 2.<br>
<blockquote
cite="mid:etPan.545c5626.7545e146.144@Drone-3.local"
type="cite">
<div id="bloop_customfont" style="font-family:
Helvetica, Arial; font-size: 13px; color: rgb(0, 0,
0); margin: 0px;">
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">and
the servers:</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">[root@server1
~]# ipa-replica-manage list -v `hostname`</div>
<div id="bloop_customfont" style="margin: 0px;">Directory
Manager password:</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">server2.domain.com:
replica</div>
<div id="bloop_customfont" style="margin: 0px;">
last init status: None</div>
<div id="bloop_customfont" style="margin: 0px;">
last init ended: None</div>
<div id="bloop_customfont" style="margin: 0px;">
last update status: 0 Replica acquired
successfully: Incremental update started</div>
<div id="bloop_customfont" style="margin: 0px;">
last update ended: 2014-11-07 01:35:58+00:00</div>
<div id="bloop_customfont" style="margin: 0px;">[root@server1
~]#</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">[root@server2
~]# ipa-replica-manage list -v `hostname`</div>
<div id="bloop_customfont" style="margin: 0px;">Directory
Manager password:</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
<div id="bloop_customfont" style="margin: 0px;">server1.domain.com:
replica</div>
<div id="bloop_customfont" style="margin: 0px;">
last init status: None</div>
<div id="bloop_customfont" style="margin: 0px;">
last init ended: None</div>
<div id="bloop_customfont" style="margin: 0px;">
last update status: 0 Replica acquired
successfully: Incremental update succeeded</div>
<div id="bloop_customfont" style="margin: 0px;">
last update ended: 2014-11-07 01:35:43+00:00</div>
<div id="bloop_customfont" style="margin: 0px;">[root@server2
~]#</div>
<div id="bloop_customfont" style="margin: 0px;"><br>
</div>
</div>
<br>
<div class="bloop_sign"
id="bloop_sign_1415337035755609088">
<div style="font-family: helvetica, arial;
font-size: 13px;"><br>
</div>
<div style="font-family: helvetica, arial;
font-size: 13px;"> <br>
Will Sheldon<br>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
</pre>
--<span class="Apple-converted-space"> </span><br>
Manage your subscription for the Freeipa-users mailing
list:<span class="Apple-converted-space"> </span><br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><span
class="Apple-converted-space"> </span><br>
Go To <a class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project</div>
</div>
</span></blockquote>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>