[Freeipa-users] Replicas in a state of confusion

Ian Levesque ian at crystal.harvard.edu
Thu Feb 9 21:25:03 UTC 2012 

On Feb 9, 2012, at 1:57 PM, Simo Sorce wrote:

> On Tue, 2012-02-07 at 23:19 -0500, Ian Levesque wrote:
> 
>> On the replica:
>> 
>> 	[21/29]: setting up initial replication
>> 	Starting replication, please wait until this has completed.
>> 	[sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2  -
>> System error]
>> 	creation of replica failed: Failed to start replication
>> 
>> On the "primary":
>> 
>> 	slapd_ldap_sasl_interactive_bind - Error: could not perform
>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
>> Minor code may provide more information (Cannot contact any KDC for
>> requested realm))
>> 
>> 	slapi_ldap_bind - Error: could not perform interactive bind for id []
>> mech [GSSAPI]: error -2 (Local error)
>> 
>> `ipa-replica-manage list` on the primary still lists both...
>> 
>> 	sbgrid-directory.in.hwlab: master
>> 	sbgrid-directory-replica.in.hwlab: master
>> 
>> Thanks for your continued interest.
> 
> I think you failed to properly clean=up before reinstalling the replica.
> 
> On the replica make sure you run:
> ipa-server-install --uninstall
> 
> On the primary:
> ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab
> 
> You will have to force because you already removed the replica.
> 
> Once you do that you can generate a new replica file for the replica and
> retry to set up replication.
> 
> Let me know if you encounter any other error once you have done that.

I tried what you suggested and today, the replication did complete. 

That said, there were a bunch of errors on the initial master, including:

id2entry - str2entry returned NULL for id 12, string="rdn"
_entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN
(snip - continues for each automountmapname cn entry)

NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20
(repeated several times)

slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)
slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)
(repeated several times)

NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)

And ~ every 5 minutes, I see the familiar-by-now:

slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)
slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)

The replica reports both masters when I run `ipa-replica-manage list`, but the primary master only lists itself.

Things /appear/ to be working correctly, but none of this is making me feel very confident...

Thanks,
Ian

More information about the Freeipa-users mailing list