<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">Hello Will, Daniel, Server1 successfully replicated to Server2, but Server2 fails to replicated to Server1. The replication Server2->Server1 is done with kerberos authentication. Server1 receives the replication session, successfully identify the replication manager, start to receives replication extop but suddenly closes the connection. <blockquote><tt>[19/Nov/2014:14:21:39 +0100] conn=2980 fd=78 slot=78 connection from xxx to yyy</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=<a class="moz-txt-link-rfc2396E" href="mailto:krbprincipalname=ldap/bob.sd1.sd2.uni-kassel.de@.sd1.sd2.uni-kassel.de,cn=services,cn=accounts,dc=sd1,dc=sd2,dc=uni-kassel,dc=de">"krbprincipalname=xxx"</a></tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=3 RESULT err=0 tag=101 nentries=1 etime=0</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=4 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=4 RESULT err=0 tag=101 nentries=1 etime=0</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=5 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=5 RESULT err=0 tag=120 nentries=0 etime=0</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=6 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="nsSchemaCSN"</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=6 RESULT err=0 tag=101 nentries=1 etime=0</tt> <tt>[19/Nov/2014:14:21:39 +0100] conn=2980 op=-1 fd=78 closed - I/O function error.</tt> </blockquote> The reason of this closure is logged in server1 error log. sasl_decode fails to decode a received PDU. <blockquote><tt>[19/Nov/2014:14:21:39 +0100] - sasl_io_recv failed to decode packet for connection 2980</tt> </blockquote> I do not know why it fails but I wonder if the received PDU is not larger than the maximum configured value. The attribute nsslapd-maxsasliosize is set to 2Mb by default. Would it be possible to increase its value (5Mb) to see if it has an impact Thanks thierry On 11/19/2014 09:49 AM, thierry bordaz wrote: </div> <blockquote cite="mid:546C599B.9090101@redhat.com" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> <div class="moz-cite-prefix">On 11/18/2014 07:44 PM, Will Sheldon wrote: </div> <blockquote cite="mid:etPan.546b93a6.327b23c6.16f@Drone-5.appnovation.com" type="cite"> <style>body{font-family:Helvetica,Arial;font-size:13px}</style> <div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"> </div> No, not resolved yet I did test with GSSAPI (-Y) and like you it worked. :(</blockquote> Hello, Would it be possible to get server1/server2 logs (error/access) and config (dse.ldif) ?. Turning on replication logs would help ( <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting">http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting</a>). In the sample of the log, there is a failure while ending a replication session. No replication error before ? It is like suddenly server1 was no longer able to reach server2 (dns or network issue ?). thanks thierry <blockquote cite="mid:etPan.546b93a6.327b23c6.16f@Drone-5.appnovation.com" type="cite"> <div> </div> <div> <div id="bloop_sign_1416336143796808960" class="bloop_sign"> <div style="font-family:helvetica,arial;font-size:13px"> Will Sheldon </div> <div style="font-family:helvetica,arial;font-size:13px"> </div> </div> On November 18, 2014 at 8:37:10 AM, <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:dbischof@hrz.uni-kassel.de">dbischof@hrz.uni-kassel.de</a> (<a moz-do-not-send="true" href="mailto:dbischof@hrz.uni-kassel.de">dbischof@hrz.uni-kassel.de</a>) wrote: <blockquote type="cite" class="clean_bq"> <div> <div>Hi, On Fri, 7 Nov 2014, Dmitri Pal wrote: > On 11/07/2014 01:24 AM, Will Sheldon wrote: >> On November 6, 2014 at 10:07:54 PM, Dmitri Pal (<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a> >> <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><mailto:dpal@redhat.com></a>) wrote: >>> On 11/07/2014 12:18 AM, Will Sheldon wrote: >>>> >>>> On the whole we are loving FreeIPA, Many thanks and much respect to >>>> all involved, we’ve had a great 12-18 months hassle free use out of >>>> it - it is a fantastically stable trouble free solution… however now >>>> we’ve run into a small issue we (as mere mortals) are finding it hard >>>> to resolve :-/ >>>> >>>> We upgraded our ipa servers (3.0.0-42) to Centos 6.6. everything >>>> seems to go well, but one server is behaving oddly. It’s likely not >>>> an IPA issue, it also reset it’s hostname somehow after the upgrade >>>> (it’s an image in an openstack environment) >>>> >>>> If anyone has any pointers as to how to debug I’d be hugely >>>> appreciative :) >>>> >>>> Two servers, server1.domain.com and server2.domain.com >>>> >>>> Server1 can’t push data to server2, there are updates and new records >>>> on server1 that do not exist on server2. >>>> >>>> >>>> from the logs on server1: >>>> >>>> [07/Nov/2014:01:33:42 +0000] NSMMReplicationPlugin - >>>> agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to send >>>> endReplication extended operation (Can't contact LDAP server) >>>> [07/Nov/2014:01:33:47 +0000] NSMMReplicationPlugin - >>>> agmt="cn=meToserver2.domain.com" (server2:389): Replication bind with >>>> GSSAPI auth resumed >>>> [07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin - >>>> agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to >>>> replicate schema: rc=2 >>>> [07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin - >>>> agmt="cn=meToserver2.domain.com" (server2:389): Consumer failed to replay >>>> change (uniqueid (null), CSN (null)): Can't contact LDAP server(-1). Will >>>> retry later. >>> >>> Try to see >>> a) Server 1 properly resolves server 2 >>> b) You can connect from server 1 to server 2 using ldapsearch >>> c) your firewall has proper ports open >>> d) dirserver on server 2 is actually running >> >> All seems working: >> >> [root@server1 ~]# ldapsearch -x -H <a moz-do-not-send="true" class="moz-txt-link-freetext" href="ldap://server2.domain.com">ldap://server2.domain.com</a> -s base -b '' >> namingContexts > > Can you try kinit admin and then use kerberos GSSAPI to connect, i.e. -Y > switch? is this resolved? I observe it on my systems, too. Exact same symptoms. ldapsearch with "-Y GSSAPI" works. > Did you find anything in the server2 logs? On my "server2", I see "sasl_io_recv failed to decode packet for connection #". Could there be something wrong with default buffer sizes as described in <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=953653">https://bugzilla.redhat.com/show_bug.cgi?id=953653</a> I have nsslapd-sasl-max-buffer-size: 65536 on both machines, but my database is rather small: ~30 users, <10 hosts and services. >> # extended LDIF >> # >> # LDAPv3 >> # base <> with scope baseObject >> # filter: (objectclass=*) >> # requesting: namingContexts >> # >> >> # >> dn: >> namingContexts: dc=domain,dc=com >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> [root@server1 ~]# >> >> And: >> >> [root@server2 ~]# /etc/init.d/dirsrv status >> dirsrv DOMAIN-COM (pid 1009) is running... >> dirsrv PKI-IPA (pid 1083) is running... >> [root@server2 ~]# >> >>> >>> Check logs on server 2 to see whether it actually sees an attempt to >>> connect, I suspect not, so it is most likely a DNS/FW issue or dir server >>> is not running on 2. >>>> >>>> >>>> and the servers: >>>> >>>> [root@server1 ~]# ipa-replica-manage list -v `hostname` >>>> Directory Manager password: >>>> >>>> server2.domain.com: replica >>>> last init status: None >>>> last init ended: None >>>> last update status: 0 Replica acquired successfully: Incremental update >>>> started >>>> last update ended: 2014-11-07 01:35:58+00:00 >>>> [root@server1 ~]# >>>> >>>> >>>> >>>> [root@server2 ~]# ipa-replica-manage list -v `hostname` >>>> Directory Manager password: >>>> >>>> server1.domain.com: replica >>>> last init status: None >>>> last init ended: None >>>> last update status: 0 Replica acquired successfully: Incremental update >>>> succeeded >>>> last update ended: 2014-11-07 01:35:43+00:00 >>>> [root@server2 ~]# Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go To <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project</div> </div> </blockquote> </div> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>