[Freeipa-users] Replication woes

Bret Wortman bret.wortman at damascusgrp.com
Mon Aug 19 15:27:10 UTC 2013 

Well, my master ground to a halt and wasn't responding. I rebooted the
system and now I can't access the web UI or ssh to the master either. I
have console access but that's it.

The services all say they're running, but the web UI gives an "Unknown
Error" dialog and ssh fails with "ssh_exchange_identification: Connection
closed by remote host" whenever I try to ssh to ipamaster. I think
something has gone really wrong inside my master. Any ideas? Even after the
reboot, --cleanup isn't helping and just hangs.

The logfiles end (as of the time I ^C'd the process) with:

NSMMReplicationPlugin - agmt="cn=meTogood3.spx.net" (good3:389):
Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Cannot determine realm for numeric host
address))
NSMMReplicationPlugin - CleanAllRUV Task: Replica not online (agmt="cn=
meTogood3.foo.net" (good3:389))
NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas online, retrying
in 160 seconds...,

So it looks like it's having trouble talking with one of my replicas and is
doggedly trying to get the job done. Any idea how to get the master back
working again while I troubleshoot this connectivity issue?


*
*
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret


On Mon, Aug 19, 2013 at 11:11 AM, Rob Crittenden <rcritten at redhat.com>wrote:

> Bret Wortman wrote:
>
>> How can I tell if this is working? It's been 10 minutes and it hasn't
>> returned; IPA response is sluggish and top doesn't show anything
>> obviously running & sucking up CPU.
>>
>
> It should be nearly instantaneous. It doesn't actually do a lot. It
> deletes the master from cn=masters, removes its entries from S4U2proxy
> delegation and in newer versions attempts to save its DNA configuration, if
> any.
>
> It should be safe to break out of it and re-run it. You may want to check
> the 389-ds logs to see what it has already done.
>
> rob
>
>
>>
>> _
>> _
>> *Bret Wortman*
>>
>> http://damascusgrp.com/
>> http://about.me/wortmanbret
>>
>>
>> On Mon, Aug 19, 2013 at 10:16 AM, Bret Wortman
>> <bret.wortman at damascusgrp.com <mailto:bret.wortman@**damascusgrp.com<bret.wortman at damascusgrp.com>>>
>> wrote:
>>
>>     My replication situation has gotten a bit messed up.
>>
>>     I have four replicas that are up and running and two that I'm trying
>>     to delete (one is not a replica any more, one didn't upgrade well
>>     during its fedup upgrade from F17->F18 and as such I had to do a
>>     clean OS install).
>>
>>     # ipa-replica-manage list
>>     bad1.foo.net <http://bl-1.com/click/load/**VGVbaVI2BjtTO1ExAjY-b0231<http://bl-1.com/click/load/VGVbaVI2BjtTO1ExAjY-b0231>
>> >:
>>     master
>>     bad2.foo.net <http://bl-1.com/click/load/**ADEOPARgATxfN1Q0BjM-b0231<http://bl-1.com/click/load/ADEOPARgATxfN1Q0BjM-b0231>
>> >:
>>     master
>>     good1.foo.net <http://good1.foo.net>: master
>>     good2.foo.net <http://good2.foo.net>: master
>>     good3.foo.net <http://good3.foo.net>: master
>>     good4.foo.net <http://good4.foo.net>: master
>>     # ipa-replica-manage list ipamaster.foo.net
>>     <http://bl-1.com/click/load/**BDUBM1I2UWxfN1c3V2U-b0231<http://bl-1.com/click/load/BDUBM1I2UWxfN1c3V2U-b0231>
>> >
>>     good1.foo.net <http://good1.foo.net>: replica
>>     good2.foo.net <http://good2.foo.net>: replica
>>     good3.foo.net <http://good3.foo.net>: replica
>>     good4.foo.net <http://good4.foo.net>: replica
>>     # ipa-replica-manage del --force bad1.foo.net <http://bad1.foo.net>
>>     'ipamaster.foo.net <http://ipamaster.foo.net>' has no replication
>>     agreement for 'bad1.foo.net <http://bad1.foo.net>'
>>     # ipa-replica-manage del --force bad2.foo.net <http://bad2.foo.net>
>>     'ipamaster.foo.net <http://ipamaster.foo.net>' has no replication
>>     agreement for 'bad2.foo.net <http://bad2.foo.net>'
>>     #
>>     _
>>     _
>>
>>     What I need to do is remove bad1 completely and then remove bad2 and
>>     re-add it as a replica. Any ideas?
>>
>>     _
>>     _
>>     *Bret Wortman*
>>
>>     http://damascusgrp.com/
>>     <http://bl-1.com/click/load/**U2JdbwdjBThROQZmAzA-b0231<http://bl-1.com/click/load/U2JdbwdjBThROQZmAzA-b0231>
>> >
>>     http://about.me/wortmanbret
>>     <http://bl-1.com/click/load/**ATBZa1QwVmsHbwNjVWU-b0231<http://bl-1.com/click/load/ATBZa1QwVmsHbwNjVWU-b0231>
>> >
>>
>>
>>
>>
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130819/50aaa4c2/attachment.htm>

More information about the Freeipa-users mailing list