<div dir="ltr">Hi Goran<div><br></div><div>Exact same issue here with the same troubleshooting steps taken(I've tried to reinitialize the replicas with success msg) - no luck so far. </div><div><br></div><div>I've additionally have run ipa_check_consistency script:</div><div><div><font face="monospace, monospace">FreeIPA servers: ipa1 ipa2 ipa3 STATE</font></div><div><font face="monospace, monospace">===================================================================</font></div><div><font face="monospace, monospace">Active Users 37 37 37 OK </font></div><div><font face="monospace, monospace">Stage Users 0 0 0 OK </font></div><div><font face="monospace, monospace">Preserved Users 0 0 0 OK </font></div><div><font face="monospace, monospace">User Groups 10 10 10 OK </font></div><div><font face="monospace, monospace">Hosts 69 69 69 OK </font></div><div><font face="monospace, monospace">Host Groups 7 7 7 OK </font></div><div><font face="monospace, monospace">HBAC Rules 11 11 11 OK </font></div><div><font face="monospace, monospace">SUDO Rules 1 1 1 OK </font></div><div><font face="monospace, monospace">DNS Zones 8 8 8 OK </font></div><div><font face="monospace, monospace">LDAP Conflicts YES YES YES FAIL </font></div><div><font face="monospace, monospace">Ghost Replicas NO NO NO OK </font></div><div><font face="monospace, monospace">Anonymous BIND YES YES YES OK </font></div><div><font face="monospace, monospace">Replication Status ipa2 18 ipa1 0 ipa1 0 </font></div><div><font face="monospace, monospace"> ipa3 0 </font></div><div><font face="monospace, monospace">===================================================================</font></div></div><div><br></div><div>Besides of this the ipa master named-pkcs is sometimes crashing and ipa fails to start. </div><div>I've rolled a backup from 1week ago and it's starting but I don't know how long it will last.</div><div><br></div><div>IPA team please help.</div><div><br></div><div><br></div><div><div><font face="monospace, monospace"># ipa --version</font></div><div><font face="monospace, monospace">VERSION: 4.4.0, API_VERSION: 2.213</font></div></div><div><font face="monospace, monospace"><br></font></div><div>-- <br><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Best regards</div><div dir="ltr"><br><div><span style="font-size:12.8px">Maciej Drobniuch</span></div><div>Network Security Engineer</div><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:12.8px">Collective-Sense,LLC</div></div></div></div></div></div></div></div></div></div></div></div></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 11, 2017 at 6:53 PM, Goran Marik <span dir="ltr"><<a href="mailto:goranm@ecobee.com" target="_blank">goranm@ecobee.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br> <br> After an upgrade to Centos 7.3.1611 with “yum update", we started seeing the following messages in the logs:<br> “””<br> May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.<wbr>519724479 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-<wbr>inf02.dev.ecobee.com-pki-<wbr>tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged<br> May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.<wbr>550459233 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-<wbr>inf02.dev.ecobee.com-pki-<wbr>tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized.<br> May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.<wbr>588245476 +0000] agmt="cn=cloneAgreement1-<wbr>inf02.dev.ecobee.com-pki-<wbr>tomcat" (inf02:389) - Can't locate CSN 576b34e8000a050f0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized.<br> May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.<wbr>611400689 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-<wbr>inf02.dev.ecobee.com-pki-<wbr>tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged<br> May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.<wbr>642226385 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-<wbr>inf02.dev.ecobee.com-pki-<wbr>tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized.<br> “””<br> <br> The log messages are pretty frequently, every few seconds, and report few different CSN numbers that cannot be located.<br> <br> This happens only on one replica out of 4. We’ve tried "ipa-replica-manage re-initialize —from” and “ipa-csreplica-manage re-initialize —from” several times, but while both commands report success, the log messages continue to happen. The server was rebooted and “systemctl restart ipa” was done few times as well.<br> <br> The replica seems to be working fine despite the errors, but I’m worried that the logs indicate underlaying problem we are not fully detecting. I would like to understand better what is triggering this behaviour and how to fix it, and if someone else saw them after a recent upgrades.<br> <br> The software versions are 389-ds-base-1.3.5.10-20.el7_3.<wbr>x86_64 and ipa-server-4.4.0-14.el7.<wbr>centos.7.x86_64<br> <br> Thanks,<br> Goran<br> <br> --<br> Goran Marik<br> Senior Systems Developer<br> <br> ecobee<br> 250 University Ave, Suite 400<br> Toronto, ON M5H 3E5<br> <span class="gmail-HOEnZb"><font color="#888888"><br> <br> <br> --<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project</font></span></blockquote></div><br><br clear="all"><div><br></div><br> </div></div>