<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 09/26/2016 01:36 PM, Natxo Asenjo
wrote:<br>
</div>
<blockquote
cite="mid:CAHBEJzU8WFJRunscr8+MGYG4kYDarU8d0KbGVLQLzrdp3G+wEw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>hi,<br>
<br>
</div>
I recently upgraded a centos 6.8 realm to centos
7.2 and it almost went correctly.<br>
<br>
</div>
Now I see some errors in
/var/log/dirsrv/slapd-INSTANCENAME/errors<br>
<br>
26/Sep/2016:13:20:15 +0200] attrlist_replace -
attr_replace (nsslapd-referral, <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc03.unix.iriszorg.nl:389/o%3Dipaca">kdc03.unix.iriszorg.nl:389/o%3Dipaca</a>)
failed<br>
<br>
</div>
and according to <a moz-do-not-send="true"
href="http://www.freeipa.org/page/Troubleshooting#Replication_issues">http://www.freeipa.org/page/Troubleshooting#Replication_issues</a>
this points to a ruv problem.<br>
<br>
</div>
So let's enumerate.<br>
<br>
</div>
We had kdc01 replicating to kdc02 (both 6.8).<br>
<br>
</div>
Then I created a replica from kdc01 to kdc03 (running 7.2).
<br>
<br>
</div>
And from kdc03 to kdc04 (both 7.2).<br>
<br>
</div>
kdc01 and kdc02 are decommissioned, but kdc02 still shows in
both kdc03 and kdc04:<br clear="all">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
$ ipa-replica-manage list<br>
<a moz-do-not-send="true"
href="http://kdc02.unix.iriszorg.nl">kdc02.unix.iriszorg.nl</a>:
master<br>
<a moz-do-not-send="true"
href="http://kdc03.unix.iriszorg.nl">kdc03.unix.iriszorg.nl</a>:
master<br>
<a moz-do-not-send="true"
href="http://kdc04.unix.iriszorg.nl">kdc04.unix.iriszorg.nl</a>:
master<br>
<br>
</div>
<div>and in <br>
</div>
<div><br>
$ ipa-csreplica-manage list<br>
Directory Manager password: <br>
<a moz-do-not-send="true"
href="http://kdc02.unix.iriszorg.nl">kdc02.unix.iriszorg.nl</a>:
master<br>
<a moz-do-not-send="true"
href="http://kdc03.unix.iriszorg.nl">kdc03.unix.iriszorg.nl</a>:
master<br>
<a moz-do-not-send="true"
href="http://kdc04.unix.iriszorg.nl">kdc04.unix.iriszorg.nl</a>:
master<br>
<br>
<br>
</div>
<div>>From kdc03:<br>
$ ldapsearch -Z -h <a moz-do-not-send="true"
href="http://kdc04.unix.iriszorg.nl">kdc04.unix.iriszorg.nl</a>
-D "cn=Directory Manager" -W -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"<br>
Enter LDAP Password: <br>
nsDS5ReplicaId: 1095<br>
nsds50ruv: {replicageneration}
50c1015c000000600000<br>
nsds50ruv: {replica 1095 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc04.unix.iriszorg.nl:389">kdc04.unix.iriszorg.nl:389</a>}
57e4d75a0000044700<br>
nsds50ruv: {replica 66 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc03.unix.iriszorg.nl:389">kdc03.unix.iriszorg.nl:389</a>}
57e23f66000000420000<br>
nsds50ruv: {replica 96 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc01.unix.iriszorg.nl:7389">kdc01.unix.iriszorg.nl:7389</a>}
50c1016c00000060000<br>
nsds50ruv: {replica 71 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc03.unix.iriszorg.nl:389">kdc03.unix.iriszorg.nl:389</a>}
57e140c7000000470000<br>
nsds50ruv: {replica 97 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc02.unix.iriszorg.nl:7389">kdc02.unix.iriszorg.nl:7389</a>}
50c1016800000061000<br>
<br>
</div>
<div>and from kdc04:<br>
<br>
# ldapsearch -Z -h <a moz-do-not-send="true"
href="http://kdc04.unix.iriszorg.nl">kdc04.unix.iriszorg.nl</a>
-D "cn=Directory Manager" -W -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"<br>
Enter LDAP Password: <br>
nsDS5ReplicaId: 1095<br>
nsds50ruv: {replicageneration}
50c1015c000000600000<br>
nsds50ruv: {replica 1095 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc04.unix.iriszorg.nl:389">kdc04.unix.iriszorg.nl:389</a>}
57e4d75a0000044700<br>
nsds50ruv: {replica 66 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc03.unix.iriszorg.nl:389">kdc03.unix.iriszorg.nl:389</a>}
57e23f66000000420000<br>
nsds50ruv: {replica 96 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc01.unix.iriszorg.nl:7389">kdc01.unix.iriszorg.nl:7389</a>}
50c1016c00000060000<br>
nsds50ruv: {replica 71 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc03.unix.iriszorg.nl:389">kdc03.unix.iriszorg.nl:389</a>}
57e140c7000000470000<br>
nsds50ruv: {replica 97 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://kdc02.unix.iriszorg.nl:7389">kdc02.unix.iriszorg.nl:7389</a>}
50c1016800000061000<br>
<br>
<br>
</div>
<div>So now I have to run a clen ruv task like
this (as seen in <a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html">https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html</a>):<br>
<br>
<pre># ldapmodify -ZZ -D "cn=directory manager" -W -a
dn: cn=clean 13, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: o=ipaca
replica-id: 13
cn: clean 13
</pre>
<pre>And in my example, the replica id would be 66, 96, 71 and 97, correct?
</pre>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
no, I don't think so. you searched 2 times the same host "-h <a
moz-do-not-send="true" href="http://kdc04.unix.iriszorg.nl">kdc04.unix.iriszorg.nl</a>".
<br>
you need to search on kdc03 to find the current replicaid of kdc03
and you have to keep it.<br>
<blockquote
cite="mid:CAHBEJzU8WFJRunscr8+MGYG4kYDarU8d0KbGVLQLzrdp3G+wEw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<pre>
</pre>
<pre>Thanks for confirming this, never done it before.
</pre>
</div>
<div>
<div class="gmail_signature">--<br>
Groeten,<br>
natxo</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Red Hat GmbH, <a class="moz-txt-link-freetext" href="http://www.de.redhat.com/">http://www.de.redhat.com/</a>, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander</pre>
</body>
</html>