[Freeipa-users] ipa-replica-manage list fail on server 2

Rich Megginson rmeggins at redhat.com
Mon Jul 7 14:21:41 UTC 2014


On 07/04/2014 03:28 AM, barrykfl at gmail.com wrote:
> FOUND something strange that server 1 replicate to itself rather than 
> server2
>
> Server1 access log > Wrong
> [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from 
> 192.168.15.89( server1 )  to 192.168.15.89 (server1)

Are you sure that this connection is a replication session?  Can you 
post all of the operations from the access log from conn=936207?

>
>
> Server 2 access log > OK
> [04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74 connection from 
> 192.168.15.89(server2) to 192.168.15.88 (server2)
>
>
> 2014-07-04 9:25 GMT+08:00 <barrykfl at gmail.com 
> <mailto:barrykfl at gmail.com>>:
>
>     Just sure now one side flow is broken, if u update server1 , it
>     100% work server2 will upgrade.
>     but if u update server2 there is chance non-syn e.g it create
>     username  in server1 with posfix grp >ok
>     but in server2 it only created posfix grp but no username
>     /attribute it occur serveral times. I have to use command line grp
>     del ...etc. to force del them and recreate them.,.
>
>     Result below:
>
>     server2.abc.com <http://server2.abc.com>: replica
>       last init status: None
>       last init ended: None
>       last update status: 0 Replica acquired successfully: Incremental
>     update succeeded
>       last update ended: 2014-07-04 00:33:18+00:00
>
>     Directory Manager password:
>
>     server1.abc.com <http://server1.abc.com>: replica
>       last init status: 0 Total update succeeded
>       last init ended: 2014-06-20 10:07:02+00:00
>       last update status: 0 Replica acquired successfully: Incremental
>     update succeeded
>       last update ended: 2014-07-04 01:14:19+00:00
>
>
>
>     [root@(LIVE)server2 ~]$  ipactl status
>     Directory Service: RUNNING
>     KDC Service: RUNNING
>     KPASSWD Service: RUNNING
>     MEMCACHE Service: RUNNING
>     HTTP Service: RUNNING
>
>
>     2014-07-04 1:34 GMT+08:00 Rob Crittenden <rcritten at redhat.com
>     <mailto:rcritten at redhat.com>>:
>
>         barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
>         > Yes they are running. Server 1 can syn to server2 but error
>         at server 2
>         > like this.
>
>         How do you know server 1 is syncing with server 2?
>
>         On server 1 I'd run:
>
>         ipa-replica-manage list -v `hostname`
>
>         This will show the replication status.
>
>         And what does ipactl status show on server 2?
>
>         rob
>
>         >
>         > 2014/7/3 ??10:14 ? "Rob Crittenden" <rcritten at redhat.com
>         <mailto:rcritten at redhat.com>
>         > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> ??:
>         >
>         >     Please keep relies on the list.
>         >
>         > barrykfl at gmail.com <mailto:barrykfl at gmail.com>
>         <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>> wrote:
>         >     > I saw the error beloe and errpr log is it related ?
>         >     >
>         >     > 29/Jun/2014:02:00:58 +0800]
>         slapd_ldap_sasl_interactive_bind - Error:
>         >     > could not perform interactive bind for id [] mech
>         [GSSAPI]: LDAP error
>         >     > -2 (Local error) (SASL(-1): generic failure: GSSAPI
>         Error: Unspecified
>         >     > GSS failure.  Minor code may provide more information
>         (Credentials
>         >     cache
>         >     > file '/tmp/krb5cc_492' not found)) errno 0 (Success)
>         >     > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error:
>         could not
>         >     perform
>         >     > interactive bind for id [] mech [GSSAPI]: error -2
>         (Local error)
>         >
>         >     I believe this is fairly normal on a new startup. It has
>         to start
>         >     somewhere. The expired ticket errors below are
>         unexpected since there
>         >     are so many of them. Is your KDC running?
>         >
>         >     ipactl status
>         >
>         >     rob
>         >
>         >     >
>         >     >
>         >     > 2014-07-02 14:15 GMT+08:00 <barrykfl at gmail.com
>         <mailto:barrykfl at gmail.com>
>         >     <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
>         <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
>         >     <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>>:
>         >     >
>         >     >
>         >     >     this is the error log i found at 2.abc.com
>         <http://2.abc.com> <http://2.abc.com>
>         >     <http://2.abc.com>
>         >     >
>         >     >     [30/Jun/2014:12:51:31 +0800]
>         slapd_ldap_sasl_interactive_bind -
>         >     >     Error: could not perform interactive bind for id
>         [] mech [GSSAPI]:
>         >     >     LDAP error -2 (Local error) (SASL(-1): generic
>         failure: GSSAPI
>         >     >     Error: Unspecified GSS failure.  Minor code may
>         provide more
>         >     >     information (Ticket expired)) errno 0 (Success)
>         >     >     [30/Jun/2014:12:51:31 +0800]
>         slapd_ldap_sasl_interactive_bind -
>         >     >     Error: could not perform interactive bind for id
>         [] mech [GSSAPI]:
>         >     >     LDAP error -2 (Local error) (SASL(-1): generic
>         failure: GSSAPI
>         >     >     Error: Unspecified GSS failure.  Minor code may
>         provide more
>         >     >     information (Ticket expired)) errno 0 (Success)
>         >     >     [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind -
>         Error: could not
>         >     >     perform interactive bind for id [] mech [GSSAPI]:
>         error -2
>         >     (Local error)
>         >     >     [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin -
>         >     >     agmt="cn=meTo1.abc.com <http://meTo1.abc.com>
>         <http://meTo1.abc.com>
>         >     <http://meTo1.abc.com>" (central:389):
>         >     >     Replication bind with GSSAPI auth failed: LDAP
>         error -2 (Local
>         >     >     error) (SASL(-1): generic failure: GSSAPI Error:
>         Unspecified GSS
>         >     >     failure.  Minor code may provide more information
>         (Ticket
>         >     expired))
>         >     >     [30/Jun/2014:12:51:34 +0800]
>         slapd_ldap_sasl_interactive_bind -
>         >     >     Error: could not perform interactive bind for id
>         [] mech [GSSAPI]:
>         >     >     LDAP error -2 (Local error) (SASL(-1): generic
>         failure: GSSAPI
>         >     >     Error: Unspecified GSS failure.  Minor code may
>         provide more
>         >     >     information (Ticket expired)) errno 0 (Success)
>         >     >     [30/Jun/2014:12:51:35 +0800]
>         slapd_ldap_sasl_interactive_bind -
>         >     >     Error: could not perform interactive bind for id
>         [] mech [GSSAPI]:
>         >     >     LDAP error -2 (Local error) (SASL(-1): generic
>         failure: GSSAPI
>         >     >     Error: Unspecified GSS failure.  Minor code may
>         provide more
>         >     >     information (Ticket expired)) errno 0 (Success)
>         >     >     [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind -
>         Error: could not
>         >     >     perform interactive bind for id [] mech [GSSAPI]:
>         error -2
>         >     (Local error)
>         >     >     [30/Jun/2014:12:51:40 +0800]
>         slapd_ldap_sasl_interactive_bind -
>         >     >     Error: could not perform interactive bind for id
>         [] mech [GSSAPI]:
>         >     >     LDAP error -2 (Local error) (SASL(-1): generic
>         failure: GSSAPI
>         >     >     Error: Unspecified GSS failure.  Minor code may
>         provide more
>         >     >     information (Ticket expired)) errno 0 (Success)
>         >     >     [30/Jun/2014:12:51:40 +0800]
>         slapd_ldap_sasl_interactive_bind -
>         >     >     Error: could not perform interactive bind for id
>         [] mech [GSSAPI]:
>         >     >     LDAP error -2 (Local error) (SASL(-1): generic
>         failure: GSSAPI
>         >     >     Error: Unspecified GSS failure.  Minor code may
>         provide more
>         >     >     information (Ticket expired)) errno 0 (Success)
>         >     >     [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind -
>         Error: could not
>         >     >     perform interactive bind for id [] mech [GSSAPI]:
>         error -2
>         >     (Local error)
>         >     >
>         >     >
>         >     >     2014-07-02 12:32 GMT+08:00 <barrykfl at gmail.com
>         <mailto:barrykfl at gmail.com>
>         >     <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
>         >     >     <mailto:barrykfl at gmail.com
>         <mailto:barrykfl at gmail.com> <mailto:barrykfl at gmail.com
>         <mailto:barrykfl at gmail.com>>>>:
>         >     >
>         >     >         yes on node 1 it is happening only node2 fail
>         connect
>         >     >
>         >     >         ipa-replica-manage list 2.abc.com
>         <http://2.abc.com> <http://2.abc.com>
>         >     <http://2.abc.com>
>         >     >         Directory Manager password:
>         >     >
>         >     > 1.abc.com <http://1.abc.com> <http://1.abc.com>
>         <http://1.abc.com>: replica
>         >     >
>         >     >
>         >     >
>         >     >         2014-06-30 20:59 GMT+08:00 Rob Crittenden
>         >     <rcritten at redhat.com <mailto:rcritten at redhat.com>
>         <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
>         >     >         <mailto:rcritten at redhat.com
>         <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
>         <mailto:rcritten at redhat.com>>>>:
>         >     >
>         >     >             Barry wrote:
>         >     >             > Hi:
>         >     >             >
>         >     >             > Server 1 and Sever 2 is cluster master
>         master
>         >     orginally ,
>         >     >             but server 2
>         >     >             > fail to connect server1 ,.
>         >     >             >
>         >     >             > ipa-replica-manage list shown Can't
>         contact LDAP server
>         >     >             >
>         >     >             > But as server1 it is ok  master server1
>         master server2 ,
>         >     >             >
>         >     >             > It seem affect if update on server 1
>         then it syn to
>         >     >             server2 no problem
>         >     >             > but sometimes if modfy in server2 if
>         fail to update
>         >     server1.
>         >     >             >
>         >     >             > Any idea to rebuild mutual relationship.?
>         >     >
>         >     >             The first step is to diagnose what is
>         wrong. I've already
>         >     >             suggested a
>         >     >             few things,
>         >     >
>         >
>         https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html
>         >     >
>         >     >             rob
>         >     >
>         >     >             --
>         >     >             Manage your subscription for the
>         Freeipa-users mailing
>         >     list:
>         >     > https://www.redhat.com/mailman/listinfo/freeipa-users
>         >     >             Go To http://freeipa.org for more info on
>         the project
>         >     >
>         >     >
>         >     >
>         >     >
>         >
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140707/0a4ff380/attachment.htm>


More information about the Freeipa-users mailing list