<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello Will, Daniel,<br>
<br>
Server1 successfully replicated to Server2, but Server2 fails to
replicated to Server1.<br>
<br>
The replication Server2->Server1 is done with kerberos
authentication. <br>
Server1 receives the replication session, successfully identify
the replication manager, start to receives replication extop but
suddenly closes the connection.<br>
<br>
<br>
<blockquote><tt>[19/Nov/2014:14:21:39 +0100] conn=2980 fd=78
slot=78 connection from xxx to yyy</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=0 BIND dn=""
method=sasl version=3 mech=GSSAPI</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=0 RESULT err=14
tag=97 nentries=0 etime=0, SASL bind in progress</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=1 BIND dn=""
method=sasl version=3 mech=GSSAPI</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=1 RESULT err=14
tag=97 nentries=0 etime=0, SASL bind in progress</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=2 BIND dn=""
method=sasl version=3 mech=GSSAPI</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=2 RESULT err=0
tag=97 nentries=0 etime=0
dn=<a class="moz-txt-link-rfc2396E"
href="mailto:krbprincipalname=ldap/bob.sd1.sd2.uni-kassel.de@.sd1.sd2.uni-kassel.de,cn=services,cn=accounts,dc=sd1,dc=sd2,dc=uni-kassel,dc=de">"krbprincipalname=xxx"</a></tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=3 SRCH base=""
scope=0 filter="(objectClass=*)" attrs="supportedControl
supportedExtension"</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=3 RESULT err=0
tag=101 nentries=1 etime=0</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=4 SRCH base=""
scope=0 filter="(objectClass=*)" attrs="supportedControl
supportedExtension"</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=4 RESULT err=0
tag=101 nentries=1 etime=0</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=5 EXT
oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=5 RESULT err=0
tag=120 nentries=0 etime=0</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=6 SRCH
base="cn=schema" scope=0 filter="(objectClass=*)"
attrs="nsSchemaCSN"</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=6 RESULT err=0
tag=101 nentries=1 etime=0</tt><br>
<tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=-1 fd=78 closed -
I/O function error.</tt><br>
<br>
</blockquote>
The reason of this closure is logged in server1 error log.
sasl_decode fails to decode a received PDU.<br>
<blockquote><tt>[19/Nov/2014:14:21:39 +0100] - sasl_io_recv failed
to decode packet for connection 2980</tt><br>
</blockquote>
I do not know why it fails but I wonder if the received PDU is not
larger than the maximum configured value. The attribute
nsslapd-maxsasliosize is set to 2Mb by default. Would it be
possible to increase its value (5Mb) to see if it has an impact<br>
<br>
Thanks<br>
thierry<br>
<br>
On 11/19/2014 09:49 AM, thierry bordaz wrote:<br>
</div>
<blockquote cite="mid:546C599B.9090101@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 11/18/2014 07:44 PM, Will Sheldon
wrote:<br>
</div>
<blockquote
cite="mid:etPan.546b93a6.327b23c6.16f@Drone-5.appnovation.com"
type="cite">
<style>body{font-family:Helvetica,Arial;font-size:13px}</style>
<div id="bloop_customfont"
style="font-family:Helvetica,Arial;font-size:13px; color:
rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br>
</div>
No, not resolved yet I did test with GSSAPI (-Y) and like you it
worked. :(</blockquote>
<br>
Hello,<br>
<br>
Would it be possible to get server1/server2 logs (error/access)
and config (dse.ldif) ?. Turning on replication logs would help (<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting">http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting</a>).<br>
<br>
In the sample of the log, there is a failure while ending a
replication session. No replication error before ?<br>
It is like suddenly server1 was no longer able to reach server2
(dns or network issue ?).<br>
<br>
thanks<br>
thierry<br>
<blockquote
cite="mid:etPan.546b93a6.327b23c6.16f@Drone-5.appnovation.com"
type="cite">
<div><br>
</div>
<div>
<div id="bloop_sign_1416336143796808960" class="bloop_sign">
<div style="font-family:helvetica,arial;font-size:13px"> <br>
Will Sheldon<br>
</div>
<div style="font-family:helvetica,arial;font-size:13px"><br>
</div>
</div>
<p style="color:#000;">On November 18, 2014 at 8:37:10 AM, <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:dbischof@hrz.uni-kassel.de">dbischof@hrz.uni-kassel.de</a>
(<a moz-do-not-send="true"
href="mailto:dbischof@hrz.uni-kassel.de">dbischof@hrz.uni-kassel.de</a>)
wrote:</p>
<blockquote type="cite" class="clean_bq"><span>
<div>
<div>Hi,<br>
<br>
On Fri, 7 Nov 2014, Dmitri Pal wrote:<br>
<br>
> On 11/07/2014 01:24 AM, Will Sheldon wrote:<br>
>> On November 6, 2014 at 10:07:54 PM, Dmitri
Pal (<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dpal@redhat.com">dpal@redhat.com</a> <br>
>> <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:dpal@redhat.com"><mailto:dpal@redhat.com></a>)
wrote:<br>
>>> On 11/07/2014 12:18 AM, Will Sheldon
wrote:<br>
>>>> <br>
>>>> On the whole we are loving FreeIPA,
Many thanks and much respect to <br>
>>>> all involved, we’ve had a great 12-18
months hassle free use out of <br>
>>>> it - it is a fantastically stable
trouble free solution… however now <br>
>>>> we’ve run into a small issue we (as
mere mortals) are finding it hard <br>
>>>> to resolve :-/<br>
>>>> <br>
>>>> We upgraded our ipa servers
(3.0.0-42) to Centos 6.6. everything <br>
>>>> seems to go well, but one server is
behaving oddly. It’s likely not <br>
>>>> an IPA issue, it also reset it’s
hostname somehow after the upgrade <br>
>>>> (it’s an image in an openstack
environment)<br>
>>>> <br>
>>>> If anyone has any pointers as to how
to debug I’d be hugely <br>
>>>> appreciative :)<br>
>>>> <br>
>>>> Two servers, server1.domain.com and
server2.domain.com<br>
>>>> <br>
>>>> Server1 can’t push data to server2,
there are updates and new records <br>
>>>> on server1 that do not exist on
server2.<br>
>>>> <br>
>>>> <br>
>>>> from the logs on server1:<br>
>>>> <br>
>>>> [07/Nov/2014:01:33:42 +0000]
NSMMReplicationPlugin - <br>
>>>> agmt="cn=meToserver2.domain.com"
(server2:389): Warning: unable to send <br>
>>>> endReplication extended operation
(Can't contact LDAP server)<br>
>>>> [07/Nov/2014:01:33:47 +0000]
NSMMReplicationPlugin - <br>
>>>> agmt="cn=meToserver2.domain.com"
(server2:389): Replication bind with <br>
>>>> GSSAPI auth resumed<br>
>>>> [07/Nov/2014:01:33:48 +0000]
NSMMReplicationPlugin - <br>
>>>> agmt="cn=meToserver2.domain.com"
(server2:389): Warning: unable to <br>
>>>> replicate schema: rc=2<br>
>>>> [07/Nov/2014:01:33:48 +0000]
NSMMReplicationPlugin - <br>
>>>> agmt="cn=meToserver2.domain.com"
(server2:389): Consumer failed to replay <br>
>>>> change (uniqueid (null), CSN (null)):
Can't contact LDAP server(-1). Will <br>
>>>> retry later.<br>
>>> <br>
>>> Try to see<br>
>>> a) Server 1 properly resolves server 2<br>
>>> b) You can connect from server 1 to
server 2 using ldapsearch<br>
>>> c) your firewall has proper ports open<br>
>>> d) dirserver on server 2 is actually
running<br>
>> <br>
>> All seems working:<br>
>> <br>
>> [root@server1 ~]# ldapsearch -x -H <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="ldap://server2.domain.com">ldap://server2.domain.com</a>
-s base -b '' <br>
>> namingContexts<br>
><br>
> Can you try kinit admin and then use kerberos
GSSAPI to connect, i.e. -Y <br>
> switch?<br>
<br>
is this resolved? I observe it on my systems, too.
Exact same symptoms. <br>
ldapsearch with "-Y GSSAPI" works.<br>
<br>
> Did you find anything in the server2 logs?<br>
<br>
On my "server2", I see "sasl_io_recv failed to decode
packet for <br>
connection #".<br>
<br>
Could there be something wrong with default buffer
sizes as described in <br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://bugzilla.redhat.com/show_bug.cgi?id=953653">https://bugzilla.redhat.com/show_bug.cgi?id=953653</a><br>
<br>
I have nsslapd-sasl-max-buffer-size: 65536 on both
machines, but my <br>
database is rather small: ~30 users, <10 hosts and
services.<br>
<br>
>> # extended LDIF<br>
>> #<br>
>> # LDAPv3<br>
>> # base <> with scope baseObject<br>
>> # filter: (objectclass=*)<br>
>> # requesting: namingContexts<br>
>> #<br>
>> <br>
>> #<br>
>> dn:<br>
>> namingContexts: dc=domain,dc=com<br>
>> <br>
>> # search result<br>
>> search: 2<br>
>> result: 0 Success<br>
>> <br>
>> # numResponses: 2<br>
>> # numEntries: 1<br>
>> [root@server1 ~]#<br>
>> <br>
>> And:<br>
>> <br>
>> [root@server2 ~]# /etc/init.d/dirsrv status<br>
>> dirsrv DOMAIN-COM (pid 1009) is running...<br>
>> dirsrv PKI-IPA (pid 1083) is running...<br>
>> [root@server2 ~]#<br>
>> <br>
>>> <br>
>>> Check logs on server 2 to see whether it
actually sees an attempt to <br>
>>> connect, I suspect not, so it is most
likely a DNS/FW issue or dir server <br>
>>> is not running on 2.<br>
>>>> <br>
>>>> <br>
>>>> and the servers:<br>
>>>> <br>
>>>> [root@server1 ~]# ipa-replica-manage
list -v `hostname`<br>
>>>> Directory Manager password:<br>
>>>> <br>
>>>> server2.domain.com: replica<br>
>>>> last init status: None<br>
>>>> last init ended: None<br>
>>>> last update status: 0 Replica
acquired successfully: Incremental update <br>
>>>> started<br>
>>>> last update ended: 2014-11-07
01:35:58+00:00<br>
>>>> [root@server1 ~]#<br>
>>>> <br>
>>>> <br>
>>>> <br>
>>>> [root@server2 ~]# ipa-replica-manage
list -v `hostname`<br>
>>>> Directory Manager password:<br>
>>>> <br>
>>>> server1.domain.com: replica<br>
>>>> last init status: None<br>
>>>> last init ended: None<br>
>>>> last update status: 0 Replica
acquired successfully: Incremental update <br>
>>>> succeeded<br>
>>>> last update ended: 2014-11-07
01:35:43+00:00<br>
>>>> [root@server2 ~]#<br>
<br>
<br>
Mit freundlichen Gruessen/With best regards,<br>
<br>
--Daniel.<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing
list:<br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://freeipa.org">http://freeipa.org</a> for
more info on the project</div>
</div>
</span></blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>