<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Please keep freeipa-users in loop</p>
<p>Well indeed something bad is happening with replication, did you
tried reinitialize replica? Maybe guys from DS will know what is
happening.<br>
</p>
<p><br>
</p>
<p>Martin<br>
</p>
<br>
<div class="moz-cite-prefix">On 06.05.2016 21:51, Devin Acosta
wrote:<br>
</div>
<blockquote cite="mid:572CF5B9.70104@pabstatencio.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div style="font-size: 11pt;font-family: tt;">Martin,<br>
<br>
Well it initially started when I noticed errors in the logs
about having a conflict on a record. So i was trying to get that
record cleaned up. I then though oh maybe I should just have it
reload everything from another server, and i wonder if now
that's why the box is just giving strange results.<br>
<br>
i had ipa1-i2x.rsinc.local reload from ipa01-aws.rsinc.local,
you can see the output of the commands below about replication
status. I can still log into ipa1-i2x.rsinc.local,<br>
<br>
[dacosta@ipa1-i2x ~]$ ipa-replica-manage -v list
ipa02-aws.rsinc.local<br>
ipa: WARNING: session memcached servers not running<br>
ipa01-aws.rsinc.local: replica<br>
last init status: None<br>
last init ended: 1970-01-01 00:00:00+00:00<br>
last update status: 0 Replica acquired successfully: Incremental
update started<br>
last update ended: 1970-01-01 00:00:00+00:00<br>
[dacosta@ipa1-i2x ~]$ ipa-replica-manage -v list
ipa01-aws.rsinc.local<br>
ipa: WARNING: session memcached servers not running<br>
ipa02-aws.rsinc.local: replica<br>
last init status: None<br>
last init ended: 1970-01-01 00:00:00+00:00<br>
last update status: 0 Replica acquired successfully: Incremental
update succeeded<br>
last update ended: 2016-05-06 19:47:26+00:00<br>
ipa1-i2x.rsinc.local: replica<br>
last init status: 0 Total update succeeded<br>
last init ended: 2016-05-06 18:46:29+00:00<br>
last update status: 0 Replica acquired successfully: Incremental
update succeeded<br>
last update ended: 2016-05-06 19:46:59+00:00<br>
[dacosta@ipa1-i2x ~]$ ipa-replica-manage -v list
ipa1-i2x.rsinc.local<br>
ipa: WARNING: session memcached servers not running<br>
ipa01-aws.rsinc.local: replica<br>
last init status: None<br>
last init ended: 1970-01-01 00:00:00+00:00<br>
last update status: 1 Can't acquire busy replica<br>
last update ended: 1970-01-01 00:00:00+00:00<br>
<br>
I do have these errors on (idm1-i2x) in the errors:<br>
<br>
[06/May/2016:18:48:46 +0000] NSMMReplicationPlugin -
ruv_compare_ruv: RUV [changelog max RUV] does not contain
element [{replica 4 <a class="moz-txt-link-freetext" href="ldap://ipa01-aws.rsinc.local:389">ldap://ipa01-aws.rsinc.local:389</a>}
56e2f9e7000000040000 572ce681000200040000] which is present in
RUV [database RUV]<br>
[06/May/2016:18:48:46 +0000] NSMMReplicationPlugin -
replica_check_for_data_reload: Warning: for replica
dc=rsinc,dc=local there were some differences between the
changelog max RUV and the database RUV. If there are obsolete
elements in the database RUV, you should remove them using the
CLEANALLRUV task. If they are not obsolete, you should check
their status to see why there are no changes from those servers
in the changelog.<br>
[06/May/2016:18:48:46 +0000] NSMMReplicationPlugin -
ruv_compare_ruv: RUV [changelog max RUV] does not contain
element [{replica 91 <a class="moz-txt-link-freetext" href="ldap://ipa1-i2x.rsinc.local:389">ldap://ipa1-i2x.rsinc.local:389</a>}
56f02d3b0000005b0000 56f02d600007005b0000] which is present in
RUV [database RUV]<br>
[06/May/2016:18:48:46 +0000] NSMMReplicationPlugin -
replica_check_for_data_reload: Warning: for replica o=ipaca
there were some differences between the changelog max RUV and
the database RUV. If there are obsolete elements in the
database RUV, you should remove them using the CLEANALLRUV
task. If they are not obsolete, you should check their status
to see why there are no changes from those servers in the
changelog.<br>
[06/May/2016:18:48:46 +0000] set_krb5_creds - Could not get
initial credentials for principal
[<a class="moz-txt-link-abbreviated" href="mailto:ldap/ipa1-i2x.rsinc.local@RSINC.LOCAL">ldap/ipa1-i2x.rsinc.local@RSINC.LOCAL</a>] in keytab
[<a class="moz-txt-link-freetext" href="FILE:/etc/dirsrv/ds.keytab">FILE:/etc/dirsrv/ds.keytab</a>]: -1765328324 (Generic error (see
e-text))<br>
[06/May/2016:18:48:46 +0000] slapd_ldap_sasl_interactive_bind -
Error: could not perform interactive bind for id [] mech
[GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available))
errno 0 (Success)<br>
[06/May/2016:18:48:46 +0000] slapi_ldap_bind - Error: could not
perform interactive bind for id [] authentication mechanism
[GSSAPI]: error -2 (Local error)<br>
[06/May/2016:18:48:46 +0000] NSMMReplicationPlugin -
agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication
bind with GSSAPI auth failed: LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (No Kerberos
credentials available))<br>
[06/May/2016:18:48:46 +0000] - slapd started. Listening on All
Interfaces port 389 for LDAP requests<br>
[06/May/2016:18:48:46 +0000] - Listening on All Interfaces port
636 for LDAPS requests<br>
[06/May/2016:18:48:46 +0000] - Listening on
/var/run/slapd-RSINC-LOCAL.socket for LDAPI requests<br>
[06/May/2016:18:48:50 +0000] NSMMReplicationPlugin -
agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication
bind with GSSAPI auth resumed<br>
[06/May/2016:18:49:18 +0000] - Retry count exceeded in delete<br>
[06/May/2016:18:49:18 +0000] DSRetroclPlugin -
delete_changerecord: could not delete change record 436145 (rc:
51)<br>
<br>
Thanks for your help.<br>
<br>
<br>
Martin Basti wrote:<br>
<blockquote type="cite"><br>
<br>
<br>
On 06.05.2016 21:29, Devin Acosta wrote:<br>
<blockquote type="cite"><br>
<blockquote type="cite"><br>
I am running the latest FreeIPA on CentOS 7.2.<br>
<br>
I noticed I had a “nsds5ReplConflict” with an item, i
tried to <br>
follow the webpage to rename and delete but that failed. I
then <br>
tried to have ipa1-i2x reload from ipa01-aws instance, now
now it <br>
seems to have gone maybe worse?<br>
can you please advise how to get back to a healthy system.
I <br>
initially added a system account as recommended so i could
have say <br>
like Jira/Confluence do User searches against IDM.<br>
<br>
[dacosta@ipa1-i2x ~]$ ldapsearch -x -D "cn=directory
manager" -w <br>
‘password' -b "dc=rsinc,dc=local" "nsds5ReplConflict=*" \*
<br>
nsds5ReplConflict<br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base <dc=rsinc,dc=local> with scope subtree<br>
# filter: nsds5ReplConflict=*<br>
# requesting: * nsds5ReplConflict<br>
#<br>
<br>
# 7ad08581-059911e6-b55c83a4-93228cdf + ldapsearch,
sysaccounts, <br>
etc, rsinc.loc<br>
al<br>
dn: <br>
nsuniqueid=7ad08581-059911e6-b55c83a4-93228cdf+uid=ldapsearch,cn=sysaccoun<br>
ts,cn=etc,dc=rsinc,dc=local<br>
userPassword:: e1NTSEF9M3krdTh5TkdYV=<br>
=<br>
uid: ldapsearch<br>
objectClass: account<br>
objectClass: simplesecurityobject<br>
objectClass: top<br>
nsds5ReplConflict: namingConflict <br>
uid=ldapsearch,cn=sysaccounts,cn=etc,dc=rsin<br>
c,dc=local<br>
<br>
# search result<br>
search: 2<br>
result: 0 Success<br>
<br>
# numResponses: 2<br>
# numEntries: 1<br>
<br>
[dacosta@ipa1-i2x ~]$ ./ipa_check_consistency -H
"ipa1-i2x.local <br>
ipa01-aws.rsinc.local" -d RSINC.LOCAL<br>
Directory Manager password:<br>
FreeIPA servers: ipa1-i2x ipa01-aws STATE<br>
===================================================<br>
Active Users ERROR 33 FAIL<br>
Stage Users ERROR 0 FAIL<br>
Preserved Users ERROR 0 FAIL<br>
User Groups ERROR 7 FAIL<br>
Hosts ERROR 82 FAIL<br>
Host Groups ERROR 1 FAIL<br>
HBAC Rules ERROR 2 FAIL<br>
SUDO Rules ERROR 4 FAIL<br>
DNS Zones ERROR 14 FAIL<br>
LDAP Conflicts ERROR YES FAIL<br>
Anonymous BIND ERROR on FAIL<br>
Replication Status ipa02-aws 0<br>
ipa1-i2x 0<br>
===================================================<br>
<br>
<br>
[dacosta@ipa1-i2x ~]$ ipa-replica-manage list<br>
ipa: WARNING: session memcached servers not running<br>
ipa02-aws.rsinc.local: master<br>
ipa01-aws.rsinc.local: master<br>
ipa1-i2x.rsinc.local: master<br>
<br>
<br>
Devin Acosta<br>
Linux Certified Engineer<br>
e: <a class="moz-txt-link-abbreviated" href="mailto:devin@linuxguru.co">devin@linuxguru.co</a><br>
<br>
</blockquote>
<br>
<br>
<br>
<br>
</blockquote>
<br>
hello, it is not clear to me what is wrong, do you have there
conflicts?<br>
The output of command is not tool supported by freeIPA, I have
no idea <br>
what is wrong.<br>
<br>
to check replication status for each IPA server run<br>
ipa-replica-manage -v list <hostname><br>
<br>
can you kinit on all replicas?<br>
can you do ldapsearch as directory manager on each server?<br>
<br>
Martin</blockquote>
</div>
</blockquote>
<br>
</body>
</html>