<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/18/2014 07:44 PM, Will Sheldon
wrote:<br>
</div>
<blockquote
cite="mid:etPan.546b93a6.327b23c6.16f@Drone-5.appnovation.com"
type="cite">
<style>body{font-family:Helvetica,Arial;font-size:13px}</style>
<div id="bloop_customfont"
style="font-family:Helvetica,Arial;font-size:13px; color:
rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br>
</div>
No, not resolved yet I did test with GSSAPI (-Y) and like you it
worked. :(</blockquote>
<br>
Hello,<br>
<br>
Would it be possible to get server1/server2 logs (error/access) and
config (dse.ldif) ?. Turning on replication logs would help (<br>
<a class="moz-txt-link-freetext" href="http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting">http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting</a>).<br>
<br>
In the sample of the log, there is a failure while ending a
replication session. No replication error before ?<br>
It is like suddenly server1 was no longer able to reach server2 (dns
or network issue ?).<br>
<br>
thanks<br>
thierry<br>
<blockquote
cite="mid:etPan.546b93a6.327b23c6.16f@Drone-5.appnovation.com"
type="cite">
<div><br>
</div>
<div>
<div id="bloop_sign_1416336143796808960" class="bloop_sign">
<div style="font-family:helvetica,arial;font-size:13px"> <br>
Will Sheldon<br>
</div>
<div style="font-family:helvetica,arial;font-size:13px"><br>
</div>
</div>
<p style="color:#000;">On November 18, 2014 at 8:37:10 AM,
<a class="moz-txt-link-abbreviated" href="mailto:dbischof@hrz.uni-kassel.de">dbischof@hrz.uni-kassel.de</a> (<a moz-do-not-send="true"
href="mailto:dbischof@hrz.uni-kassel.de">dbischof@hrz.uni-kassel.de</a>)
wrote:</p>
<blockquote type="cite" class="clean_bq"><span>
<div>
<div>Hi,<br>
<br>
On Fri, 7 Nov 2014, Dmitri Pal wrote:<br>
<br>
> On 11/07/2014 01:24 AM, Will Sheldon wrote:<br>
>> On November 6, 2014 at 10:07:54 PM, Dmitri Pal
(<a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <br>
>> <a class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><mailto:dpal@redhat.com></a>) wrote:<br>
>>> On 11/07/2014 12:18 AM, Will Sheldon wrote:<br>
>>>> <br>
>>>> On the whole we are loving FreeIPA,
Many thanks and much respect to <br>
>>>> all involved, we’ve had a great 12-18
months hassle free use out of <br>
>>>> it - it is a fantastically stable
trouble free solution… however now <br>
>>>> we’ve run into a small issue we (as
mere mortals) are finding it hard <br>
>>>> to resolve :-/<br>
>>>> <br>
>>>> We upgraded our ipa servers (3.0.0-42)
to Centos 6.6. everything <br>
>>>> seems to go well, but one server is
behaving oddly. It’s likely not <br>
>>>> an IPA issue, it also reset it’s
hostname somehow after the upgrade <br>
>>>> (it’s an image in an openstack
environment)<br>
>>>> <br>
>>>> If anyone has any pointers as to how to
debug I’d be hugely <br>
>>>> appreciative :)<br>
>>>> <br>
>>>> Two servers, server1.domain.com and
server2.domain.com<br>
>>>> <br>
>>>> Server1 can’t push data to server2,
there are updates and new records <br>
>>>> on server1 that do not exist on
server2.<br>
>>>> <br>
>>>> <br>
>>>> from the logs on server1:<br>
>>>> <br>
>>>> [07/Nov/2014:01:33:42 +0000]
NSMMReplicationPlugin - <br>
>>>> agmt="cn=meToserver2.domain.com"
(server2:389): Warning: unable to send <br>
>>>> endReplication extended operation
(Can't contact LDAP server)<br>
>>>> [07/Nov/2014:01:33:47 +0000]
NSMMReplicationPlugin - <br>
>>>> agmt="cn=meToserver2.domain.com"
(server2:389): Replication bind with <br>
>>>> GSSAPI auth resumed<br>
>>>> [07/Nov/2014:01:33:48 +0000]
NSMMReplicationPlugin - <br>
>>>> agmt="cn=meToserver2.domain.com"
(server2:389): Warning: unable to <br>
>>>> replicate schema: rc=2<br>
>>>> [07/Nov/2014:01:33:48 +0000]
NSMMReplicationPlugin - <br>
>>>> agmt="cn=meToserver2.domain.com"
(server2:389): Consumer failed to replay <br>
>>>> change (uniqueid (null), CSN (null)):
Can't contact LDAP server(-1). Will <br>
>>>> retry later.<br>
>>> <br>
>>> Try to see<br>
>>> a) Server 1 properly resolves server 2<br>
>>> b) You can connect from server 1 to server
2 using ldapsearch<br>
>>> c) your firewall has proper ports open<br>
>>> d) dirserver on server 2 is actually
running<br>
>> <br>
>> All seems working:<br>
>> <br>
>> [root@server1 ~]# ldapsearch -x -H
<a class="moz-txt-link-freetext" href="ldap://server2.domain.com">ldap://server2.domain.com</a> -s base -b '' <br>
>> namingContexts<br>
><br>
> Can you try kinit admin and then use kerberos
GSSAPI to connect, i.e. -Y <br>
> switch?<br>
<br>
is this resolved? I observe it on my systems, too. Exact
same symptoms. <br>
ldapsearch with "-Y GSSAPI" works.<br>
<br>
> Did you find anything in the server2 logs?<br>
<br>
On my "server2", I see "sasl_io_recv failed to decode
packet for <br>
connection #".<br>
<br>
Could there be something wrong with default buffer sizes
as described in <br>
<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=953653">https://bugzilla.redhat.com/show_bug.cgi?id=953653</a><br>
<br>
I have nsslapd-sasl-max-buffer-size: 65536 on both
machines, but my <br>
database is rather small: ~30 users, <10 hosts and
services.<br>
<br>
>> # extended LDIF<br>
>> #<br>
>> # LDAPv3<br>
>> # base <> with scope baseObject<br>
>> # filter: (objectclass=*)<br>
>> # requesting: namingContexts<br>
>> #<br>
>> <br>
>> #<br>
>> dn:<br>
>> namingContexts: dc=domain,dc=com<br>
>> <br>
>> # search result<br>
>> search: 2<br>
>> result: 0 Success<br>
>> <br>
>> # numResponses: 2<br>
>> # numEntries: 1<br>
>> [root@server1 ~]#<br>
>> <br>
>> And:<br>
>> <br>
>> [root@server2 ~]# /etc/init.d/dirsrv status<br>
>> dirsrv DOMAIN-COM (pid 1009) is running...<br>
>> dirsrv PKI-IPA (pid 1083) is running...<br>
>> [root@server2 ~]#<br>
>> <br>
>>> <br>
>>> Check logs on server 2 to see whether it
actually sees an attempt to <br>
>>> connect, I suspect not, so it is most
likely a DNS/FW issue or dir server <br>
>>> is not running on 2.<br>
>>>> <br>
>>>> <br>
>>>> and the servers:<br>
>>>> <br>
>>>> [root@server1 ~]# ipa-replica-manage
list -v `hostname`<br>
>>>> Directory Manager password:<br>
>>>> <br>
>>>> server2.domain.com: replica<br>
>>>> last init status: None<br>
>>>> last init ended: None<br>
>>>> last update status: 0 Replica acquired
successfully: Incremental update <br>
>>>> started<br>
>>>> last update ended: 2014-11-07
01:35:58+00:00<br>
>>>> [root@server1 ~]#<br>
>>>> <br>
>>>> <br>
>>>> <br>
>>>> [root@server2 ~]# ipa-replica-manage
list -v `hostname`<br>
>>>> Directory Manager password:<br>
>>>> <br>
>>>> server1.domain.com: replica<br>
>>>> last init status: None<br>
>>>> last init ended: None<br>
>>>> last update status: 0 Replica acquired
successfully: Incremental update <br>
>>>> succeeded<br>
>>>> last update ended: 2014-11-07
01:35:43+00:00<br>
>>>> [root@server2 ~]#<br>
<br>
<br>
Mit freundlichen Gruessen/With best regards,<br>
<br>
--Daniel.<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing
list:<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project</div>
</div>
</span></blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>