[Freeipa-users] ipa-replica-manage list fail on server 2
barrykfl at gmail.com
barrykfl at gmail.com
Tue Jul 8 08:16:23 UTC 2014
Resent as size limit.
Here u are server1 's access log seem one side broken
the problem is how to make it replicate again.
At server 1
it is ok master server1 master server2
Another side server 2 contains 2 ip replication.
ipa-replica-manage list shown Can't contact LDAP server
I dont know why but the prolematic server is sever 2 not server 1
log of server2
[08/Jul/2014:16:02:40 +0800] conn=3299731 fd=69 slot=69 connection from
192.168.15.89 (server1) to 192.168.15.88(server2)
[08/Jul/2014:16:02:40 +0800] conn=3299731 op=-1 fd=69 closed - B1
[08/Jul/2014:16:02:40 +0800] conn=3299732 fd=69 slot=69 connection from
192.168.15.89 to 192.168.15.88
[08/Jul/2014:16:02:40 +0800] conn=3299732 op=-1 fd=69 closed - B1
[08/Jul/2014:16:02:41 +0800] conn=3299733 fd=69 slot=69 connection from
192.168.15.89 to 192.168.15.88
[08/Jul/2014:16:02:41 +0800] conn=3299733 op=-1 fd=69 closed - B1
2014-07-07 22:21 GMT+08:00 Rich Megginson <rmeggins at redhat.com>:
> On 07/04/2014 03:28 AM, barrykfl at gmail.com wrote:
>
> FOUND something strange that server 1 replicate to itself rather than
> server2
>
> Server1 access log > Wrong
> [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from
> 192.168.15.89( server1 ) to 192.168.15.89 (server1)
>
>
> Are you sure that this connection is a replication session? Can you post
> all of the operations from the access log from conn=936207?
>
>
>
>
> Server 2 access log > OK
> [04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74 connection from
> 192.168.15.89(server2) to 192.168.15.88 (server2)
>
>
> 2014-07-04 9:25 GMT+08:00 <barrykfl at gmail.com>:
>
>> Just sure now one side flow is broken, if u update server1 , it 100%
>> work server2 will upgrade.
>> but if u update server2 there is chance non-syn e.g it create username
>> in server1 with posfix grp >ok
>> but in server2 it only created posfix grp but no username /attribute it
>> occur serveral times. I have to use command line grp del ...etc. to force
>> del them and recreate them.,.
>>
>> Result below:
>>
>> server2.abc.com: replica
>> last init status: None
>> last init ended: None
>> last update status: 0 Replica acquired successfully: Incremental update
>> succeeded
>> last update ended: 2014-07-04 00:33:18+00:00
>>
>> Directory Manager password:
>>
>> server1.abc.com: replica
>> last init status: 0 Total update succeeded
>> last init ended: 2014-06-20 10:07:02+00:00
>> last update status: 0 Replica acquired successfully: Incremental update
>> succeeded
>> last update ended: 2014-07-04 01:14:19+00:00
>>
>>
>>
>> [root@(LIVE)server2 ~]$ ipactl status
>> Directory Service: RUNNING
>> KDC Service: RUNNING
>> KPASSWD Service: RUNNING
>> MEMCACHE Service: RUNNING
>> HTTP Service: RUNNING
>>
>>
>> 2014-07-04 1:34 GMT+08:00 Rob Crittenden <rcritten at redhat.com>:
>>
>> barrykfl at gmail.com wrote:
>>> > Yes they are running. Server 1 can syn to server2 but error at server 2
>>> > like this.
>>>
>>> How do you know server 1 is syncing with server 2?
>>>
>>> On server 1 I'd run:
>>>
>>> ipa-replica-manage list -v `hostname`
>>>
>>> This will show the replication status.
>>>
>>> And what does ipactl status show on server 2?
>>>
>>> rob
>>>
>>> >
>>> > 2014/7/3 下午10:14 於 "Rob Crittenden" <rcritten at redhat.com
>>> > <mailto:rcritten at redhat.com>> 寫道:
>>> >
>>> > Please keep relies on the list.
>>> >
>>> > barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
>>> > > I saw the error beloe and errpr log is it related ?
>>> > >
>>> > > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind -
>>> Error:
>>> > > could not perform interactive bind for id [] mech [GSSAPI]: LDAP
>>> error
>>> > > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
>>> Unspecified
>>> > > GSS failure. Minor code may provide more information
>>> (Credentials
>>> > cache
>>> > > file '/tmp/krb5cc_492' not found)) errno 0 (Success)
>>> > > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not
>>> > perform
>>> > > interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>>> >
>>> > I believe this is fairly normal on a new startup. It has to start
>>> > somewhere. The expired ticket errors below are unexpected since
>>> there
>>> > are so many of them. Is your KDC running?
>>> >
>>> > ipactl status
>>> >
>>> > rob
>>> >
>>> > >
>>> > >
>>> > > 2014-07-02 14:15 GMT+08:00 <barrykfl at gmail.com
>>> > <mailto:barrykfl at gmail.com> <mailto:barrykfl at gmail.com
>>> > <mailto:barrykfl at gmail.com>>>:
>>> > >
>>> > >
>>> > > this is the error log i found at 2.abc.com <http://2.abc.com
>>> >
>>> > <http://2.abc.com>
>>> > >
>>> > > [30/Jun/2014:12:51:31 +0800]
>>> slapd_ldap_sasl_interactive_bind -
>>> > > Error: could not perform interactive bind for id [] mech
>>> [GSSAPI]:
>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>> GSSAPI
>>> > > Error: Unspecified GSS failure. Minor code may provide more
>>> > > information (Ticket expired)) errno 0 (Success)
>>> > > [30/Jun/2014:12:51:31 +0800]
>>> slapd_ldap_sasl_interactive_bind -
>>> > > Error: could not perform interactive bind for id [] mech
>>> [GSSAPI]:
>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>> GSSAPI
>>> > > Error: Unspecified GSS failure. Minor code may provide more
>>> > > information (Ticket expired)) errno 0 (Success)
>>> > > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could
>>> not
>>> > > perform interactive bind for id [] mech [GSSAPI]: error -2
>>> > (Local error)
>>> > > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin -
>>> > > agmt="cn=meTo1.abc.com <http://meTo1.abc.com>
>>> > <http://meTo1.abc.com>" (central:389):
>>> > > Replication bind with GSSAPI auth failed: LDAP error -2
>>> (Local
>>> > > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
>>> GSS
>>> > > failure. Minor code may provide more information (Ticket
>>> > expired))
>>> > > [30/Jun/2014:12:51:34 +0800]
>>> slapd_ldap_sasl_interactive_bind -
>>> > > Error: could not perform interactive bind for id [] mech
>>> [GSSAPI]:
>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>> GSSAPI
>>> > > Error: Unspecified GSS failure. Minor code may provide more
>>> > > information (Ticket expired)) errno 0 (Success)
>>> > > [30/Jun/2014:12:51:35 +0800]
>>> slapd_ldap_sasl_interactive_bind -
>>> > > Error: could not perform interactive bind for id [] mech
>>> [GSSAPI]:
>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>> GSSAPI
>>> > > Error: Unspecified GSS failure. Minor code may provide more
>>> > > information (Ticket expired)) errno 0 (Success)
>>> > > [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could
>>> not
>>> > > perform interactive bind for id [] mech [GSSAPI]: error -2
>>> > (Local error)
>>> > > [30/Jun/2014:12:51:40 +0800]
>>> slapd_ldap_sasl_interactive_bind -
>>> > > Error: could not perform interactive bind for id [] mech
>>> [GSSAPI]:
>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>> GSSAPI
>>> > > Error: Unspecified GSS failure. Minor code may provide more
>>> > > information (Ticket expired)) errno 0 (Success)
>>> > > [30/Jun/2014:12:51:40 +0800]
>>> slapd_ldap_sasl_interactive_bind -
>>> > > Error: could not perform interactive bind for id [] mech
>>> [GSSAPI]:
>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>> GSSAPI
>>> > > Error: Unspecified GSS failure. Minor code may provide more
>>> > > information (Ticket expired)) errno 0 (Success)
>>> > > [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could
>>> not
>>> > > perform interactive bind for id [] mech [GSSAPI]: error -2
>>> > (Local error)
>>> > >
>>> > >
>>> > > 2014-07-02 12:32 GMT+08:00 <barrykfl at gmail.com
>>> > <mailto:barrykfl at gmail.com>
>>> > > <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>:
>>> > >
>>> > > yes on node 1 it is happening only node2 fail connect
>>> > >
>>> > > ipa-replica-manage list 2.abc.com <http://2.abc.com>
>>> > <http://2.abc.com>
>>> > > Directory Manager password:
>>> > >
>>> > > 1.abc.com <http://1.abc.com> <http://1.abc.com>:
>>> replica
>>> > >
>>> > >
>>> > >
>>> > > 2014-06-30 20:59 GMT+08:00 Rob Crittenden
>>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com
>>> >>>:
>>> > >
>>> > > Barry wrote:
>>> > > > Hi:
>>> > > >
>>> > > > Server 1 and Sever 2 is cluster master master
>>> > orginally ,
>>> > > but server 2
>>> > > > fail to connect server1 ,.
>>> > > >
>>> > > > ipa-replica-manage list shown Can't contact LDAP
>>> server
>>> > > >
>>> > > > But as server1 it is ok master server1 master
>>> server2 ,
>>> > > >
>>> > > > It seem affect if update on server 1 then it syn to
>>> > > server2 no problem
>>> > > > but sometimes if modfy in server2 if fail to update
>>> > server1.
>>> > > >
>>> > > > Any idea to rebuild mutual relationship.?
>>> > >
>>> > > The first step is to diagnose what is wrong. I've
>>> already
>>> > > suggested a
>>> > > few things,
>>> > >
>>> >
>>> https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html
>>> > >
>>> > > rob
>>> > >
>>> > > --
>>> > > Manage your subscription for the Freeipa-users
>>> mailing
>>> > list:
>>> > >
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > > Go To http://freeipa.org for more info on the
>>> project
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>>
>>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140708/9f7a8819/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: access(server1).zip
Type: application/zip
Size: 239756 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140708/9f7a8819/attachment.zip>
More information about the Freeipa-users
mailing list