[Freeipa-users] Replicas in a state of confusion
Simo Sorce
simo at redhat.com
Thu Feb 9 21:32:03 UTC 2012
On Thu, 2012-02-09 at 16:25 -0500, Ian Levesque wrote:
> On Feb 9, 2012, at 1:57 PM, Simo Sorce wrote:
>
> > On Tue, 2012-02-07 at 23:19 -0500, Ian Levesque wrote:
> >
> >> On the replica:
> >>
> >> [21/29]: setting up initial replication
> >> Starting replication, please wait until this has completed.
> >> [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 -
> >> System error]
> >> creation of replica failed: Failed to start replication
> >>
> >> On the "primary":
> >>
> >> slapd_ldap_sasl_interactive_bind - Error: could not perform
> >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
> >> Minor code may provide more information (Cannot contact any KDC for
> >> requested realm))
> >>
> >> slapi_ldap_bind - Error: could not perform interactive bind for id []
> >> mech [GSSAPI]: error -2 (Local error)
> >>
> >> `ipa-replica-manage list` on the primary still lists both...
> >>
> >> sbgrid-directory.in.hwlab: master
> >> sbgrid-directory-replica.in.hwlab: master
> >>
> >> Thanks for your continued interest.
> >
> > I think you failed to properly clean=up before reinstalling the replica.
> >
> > On the replica make sure you run:
> > ipa-server-install --uninstall
> >
> > On the primary:
> > ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab
> >
> > You will have to force because you already removed the replica.
> >
> > Once you do that you can generate a new replica file for the replica and
> > retry to set up replication.
> >
> > Let me know if you encounter any other error once you have done that.
>
> I tried what you suggested and today, the replication did complete.
>
> That said, there were a bunch of errors on the initial master, including:
>
> id2entry - str2entry returned NULL for id 12, string="rdn"
> _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN
> (snip - continues for each automountmapname cn entry)
>
> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20
> (repeated several times)
>
> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)
> slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)
> (repeated several times)
>
> NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)
>
> And ~ every 5 minutes, I see the familiar-by-now:
>
> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)
> slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)
>
> The replica reports both masters when I run `ipa-replica-manage list`, but the primary master only lists itself.
>
> Things /appear/ to be working correctly, but none of this is making me feel very confident...
They are not running correctly.
Your first master seem to keep having issues connecting to the replica.
Did you restart the master ?
Because you replaced the replica with another of identical name, the
master may have cache a previously valid ticket that is not correct
anymore since you rebuilt replica credentials and therefore all old
tickets are invalid.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list