[Freeipa-users] Replication woes
Rob Crittenden
rcritten at redhat.com
Mon Aug 19 15:29:36 UTC 2013
Bret Wortman wrote:
> Well, my master ground to a halt and wasn't responding. I rebooted the
> system and now I can't access the web UI or ssh to the master either. I
> have console access but that's it.
>
> The services all say they're running, but the web UI gives an "Unknown
> Error" dialog and ssh fails with "ssh_exchange_identification:
> Connection closed by remote host" whenever I try to ssh to ipamaster. I
> think something has gone really wrong inside my master. Any ideas? Even
> after the reboot, --cleanup isn't helping and just hangs.
>
> The logfiles end (as of the time I ^C'd the process) with:
>
> NSMMReplicationPlugin - agmt="cn=meTogood3.spx.net
> <http://meTogood3.spx.net>" (good3:389): Replication bind with GSSAPI
> auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
> GSSAPI Error: Unspecified GSS failure. Minor code may provide more
> information (Cannot determine realm for numeric host address))
> NSMMReplicationPlugin - CleanAllRUV Task: Replica not online
> (agmt="cn=meTogood3.foo.net <http://meTogood3.foo.net>" (good3:389))
> NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas online,
> retrying in 160 seconds...,
>
> So it looks like it's having trouble talking with one of my replicas and
> is doggedly trying to get the job done. Any idea how to get the master
> back working again while I troubleshoot this connectivity issue?
That suggests a DNS problem, and it might explain ssh as well depending
on your configuration.
rob
>
>
> _
> _
> *Bret Wortman*
>
> http://damascusgrp.com/
> http://about.me/wortmanbret
>
>
> On Mon, Aug 19, 2013 at 11:11 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Bret Wortman wrote:
>
> How can I tell if this is working? It's been 10 minutes and it
> hasn't
> returned; IPA response is sluggish and top doesn't show anything
> obviously running & sucking up CPU.
>
>
> It should be nearly instantaneous. It doesn't actually do a lot. It
> deletes the master from cn=masters, removes its entries from
> S4U2proxy delegation and in newer versions attempts to save its DNA
> configuration, if any.
>
> It should be safe to break out of it and re-run it. You may want to
> check the 389-ds logs to see what it has already done.
>
> rob
>
>
>
> _
> _
> *Bret Wortman*
>
> http://damascusgrp.com/
> http://about.me/wortmanbret
>
>
> On Mon, Aug 19, 2013 at 10:16 AM, Bret Wortman
> <bret.wortman at damascusgrp.com
> <mailto:bret.wortman at damascusgrp.com>
> <mailto:bret.wortman at __damascusgrp.com
> <mailto:bret.wortman at damascusgrp.com>>> wrote:
>
> My replication situation has gotten a bit messed up.
>
> I have four replicas that are up and running and two that
> I'm trying
> to delete (one is not a replica any more, one didn't
> upgrade well
> during its fedup upgrade from F17->F18 and as such I had to
> do a
> clean OS install).
>
> # ipa-replica-manage list
> bad1.foo.net <http://bad1.foo.net>
> <http://bl-1.com/click/load/__VGVbaVI2BjtTO1ExAjY-b0231
> <http://bl-1.com/click/load/VGVbaVI2BjtTO1ExAjY-b0231>>:
> master
> bad2.foo.net <http://bad2.foo.net>
> <http://bl-1.com/click/load/__ADEOPARgATxfN1Q0BjM-b0231
> <http://bl-1.com/click/load/ADEOPARgATxfN1Q0BjM-b0231>>:
> master
> good1.foo.net <http://good1.foo.net> <http://good1.foo.net>: master
> good2.foo.net <http://good2.foo.net> <http://good2.foo.net>: master
> good3.foo.net <http://good3.foo.net> <http://good3.foo.net>: master
> good4.foo.net <http://good4.foo.net> <http://good4.foo.net>: master
> # ipa-replica-manage list ipamaster.foo.net
> <http://ipamaster.foo.net>
> <http://bl-1.com/click/load/__BDUBM1I2UWxfN1c3V2U-b0231
> <http://bl-1.com/click/load/BDUBM1I2UWxfN1c3V2U-b0231>>
> good1.foo.net <http://good1.foo.net> <http://good1.foo.net>: replica
> good2.foo.net <http://good2.foo.net> <http://good2.foo.net>: replica
> good3.foo.net <http://good3.foo.net> <http://good3.foo.net>: replica
> good4.foo.net <http://good4.foo.net> <http://good4.foo.net>: replica
> # ipa-replica-manage del --force bad1.foo.net
> <http://bad1.foo.net> <http://bad1.foo.net>
> 'ipamaster.foo.net <http://ipamaster.foo.net>
> <http://ipamaster.foo.net>' has no replication
> agreement for 'bad1.foo.net <http://bad1.foo.net>
> <http://bad1.foo.net>'
> # ipa-replica-manage del --force bad2.foo.net
> <http://bad2.foo.net> <http://bad2.foo.net>
> 'ipamaster.foo.net <http://ipamaster.foo.net>
> <http://ipamaster.foo.net>' has no replication
> agreement for 'bad2.foo.net <http://bad2.foo.net>
> <http://bad2.foo.net>'
> #
> _
> _
>
> What I need to do is remove bad1 completely and then remove
> bad2 and
> re-add it as a replica. Any ideas?
>
> _
> _
> *Bret Wortman*
>
> http://damascusgrp.com/
> <http://bl-1.com/click/load/__U2JdbwdjBThROQZmAzA-b0231
> <http://bl-1.com/click/load/U2JdbwdjBThROQZmAzA-b0231>>
> http://about.me/wortmanbret
> <http://bl-1.com/click/load/__ATBZa1QwVmsHbwNjVWU-b0231
> <http://bl-1.com/click/load/ATBZa1QwVmsHbwNjVWU-b0231>>
>
>
>
>
>
> _________________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/__mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list