[Freeipa-users] ipa-replica-manage list fail on server 2
Rich Megginson
rmeggins at redhat.com
Thu Jul 10 15:18:12 UTC 2014
On 07/10/2014 09:15 AM, barrykfl at gmail.com wrote:
>
> But any hint that server 2 say cant contact ldap server if type ipa
> command?
>
Please keep replies on list.
You still get "cant contact ldap server" after upgrading both servers?
> 2014/7/10 下午10:25 於 "Rich Megginson" <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> 寫道:
>
> On 07/10/2014 01:14 AM, barrykfl at gmail.com
> <mailto:barrykfl at gmail.com> wrote:
>> Tried and now two version same ....but seem same situation.
>>
>> i found a related error log that server1 has account after added
>> user but not replicated to server2. Is it too fast on UI clicking
>> ? as i exp once that click very
>> fast twice add and edit user may cause server 2 no record.
>>
>>
>> [10/Jul/2014:14:20:01 +0800] NSMMReplicationPlugin - changelog
>> program - _cl5WriteOperationTxn: retry (49) the transaction
>> (csn=53be3097000000040000) failed (rc=-30994 (DB_LOCK_DEADLOCK:
>> Locker killed to resolve a deadlock))
>> [10/Jul/2014:14:20:01 +0800] NSMMReplicationPlugin - changelog
>> program - _cl5WriteOperationTxn: failed to write entry with csn
>> (53be3097000000040000); db error - -30994 DB_LOCK_DEADLOCK:
>> Locker killed to resolve a deadlock
>> [10/Jul/2014:14:20:01 +0800] NSMMReplicationPlugin -
>> write_changelog_and_ruv: can't add a change for
>> uid=xuehuimei,cn=users,cn=accounts,dc=abc,dc=com (uniqid:
>> 1300de84-07fa11e4-b3ddf885-593f3a7a, optype: 16) to changelog csn
>> 53be3097000000040000
>> [10/Jul/2014:14:56:51 +0800] NSMMReplicationPlugin - changelog
>> program - _cl5WriteOperationTxn: retry (49) the transaction
>> (csn=53be3939000000040000) failed (rc=-30994 (DB_LOCK_DEADLOCK:
>> Locker killed to resolve a deadlock))
>> [10/Jul/2014:14:56:51 +0800] NSMMReplicationPlugin - changelog
>> program - _cl5WriteOperationTxn: failed to write entry with csn
>> (53be3939000000040000); db error - -30994 DB_LOCK_DEADLOCK:
>> Locker killed to resolve a deadlock
>> [10/Jul/2014:14:56:51 +0800] NSMMReplicationPlugin -
>> write_changelog_and_ruv: can't add a change for
>> uid=websubcon04,cn=users,cn=accounts,dc=abc,dc=com (uniqid:
>> 3e39fc81-07ff11e4-b3ddf885-593f3a7a, optype: 16) to changelog csn
>> 53be3939000000040000
>
> This looks like https://fedorahosted.org/389/ticket/47409 and
> https://bugzilla.redhat.com/show_bug.cgi?id=979169
>
> Cause: Under certain conditions, with a mix of concurrent search
> and update and outgoing replication operations, there will be
> deadlocks in the changelog db, leading to error messages like this:
> NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn:
> failed to write entry with csn (XXXXXXX); db error - -30994
> DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
> This is caused by a deadlock between the changelog readers,
> writers, and main database writers.
>
> Consequence: Update operations will fail with the above error
> message in the directory server errors log.
>
> Fix: A new configuration parameter is introduced:
> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
> nsslapd-db-deadlock-policy: 9
>
> With the default policy 9 (DB_LOCK_YOUNGEST), the last locker gets
> killed when there is a deadlock. In the case that this is the
> changelog writer, the write will fail, and the entire update will
> fail.
>
> Users who frequently see the above errors in the errors log are
> advised to change this setting to 6 (DB_LOCK_MINWRITE) will which
> instead kill the locker that has the fewest write locks (that is,
> the changelog reader). The changelog reader code has been changed
> to handle this deadlock condition and retry. The setting can be
> changed like this:
>
> ldapmodify -x -D "cn=directory manager" -W <<EOF
> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-db-deadlock-policy
> nsslapd-db-deadlock-policy: 6
> EOF
>
> You may ask why the default is not changed to 6. The answer is
> that the setting will apply to _all_ threads, so that changing
> this setting could cause regular search requests to fail, if the
> directory server is under a heavy update load. In our testing, we
> did not see this happen, but we cannot guarantee that changing
> this value to 6 will not impact regular search requests.
>
> Result: After changing nsslapd-db-deadlock-policy to 6, updates
> will succeed and no longer cause errors like the above.
>
>
>>
>>
>> 2014-07-10 10:40 GMT+08:00 Rich Megginson <rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>:
>>
>> On 07/09/2014 08:36 PM, barrykfl at gmail.com
>> <mailto:barrykfl at gmail.com> wrote:
>>> Hi :
>>>
>>> What is the procedure for this minor update ?
>>>
>>> just yum update ipa-server after stop the server?
>>
>> If you just want to upgrade only the LDAP server, which is
>> the component that I for sure know is out of date, then yum
>> update 389-ds-base.
>>
>> Or just "yum update" - in general I don't like running
>> "franken-systems" which have a mix of up-to-date and out of
>> date packages. Note that "IPA server" is composed of several
>> packages.
>>
>> You do not need to stop the server. yum/rpm upgrade will
>> restart as needed. If you want to make sure, do ipactl
>> restart after upgrade.
>>
>>
>>> and effect of the exsitn ldap?
>>
>> Not sure what you mean. Upgrade should not touch any config
>> or data.
>>
>>
>>>
>>> As the server 2 is master of replica also , so need refo
>>> ipa-replica install ?
>>
>> No, you just need to perform the same upgrade procedure.
>>
>>
>>>
>>> barry
>>>
>>>
>>> 2014-07-09 22:20 GMT+08:00 Rich Megginson
>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>>:
>>>
>>> On 07/08/2014 09:02 PM, barrykfl at gmail.com
>>> <mailto:barrykfl at gmail.com> wrote:
>>>> Some error i found :
>>>>
>>>>
>>>> server1.abc.com:636 <http://server1.abc.com:636>
>>>> (/etc/dirsrv/slapd-abc-COM)
>>>>
>>>> [29/Jun/2014:02:00:56 +0800] - 389-Directory/1.2.11.25
>>>> <http://1.2.11.25> B2013.325.1951 starting up
>>>> [29/Jun/2014:02:00:56 +0800] attrcrypt -
>>>> attrcrypt_unwrap_key: failed to unwrap key for cipher AES
>>>> [29/Jun/2014:02:00:56 +0800] attrcrypt -
>>>> attrcrypt_cipher_init: symmetric key failed to unwrap
>>>> with the private key; Cert might have been renewed
>>>> since the key is wrapped. To recover the encrypted
>>>> contents, keep the wrapped symmetric key value.
>>>> [29/Jun/2014:02:00:56 +0800] attrcrypt -
>>>> attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES
>>>> [29/Jun/2014:02:00:56 +0800] attrcrypt -
>>>> attrcrypt_cipher_init: symmetric key failed to unwrap
>>>> with the private key; Cert might have been renewed
>>>> since the key is wrapped. To recover the encrypted
>>>> contents, keep the wrapped symmetric key value.
>>>> [29/Jun/2014:02:00:56 +0800] attrcrypt - All prepared
>>>> ciphers are not available. Please disable attribute
>>>> encryption.
>>>> [29/Jun/2014:02:00:56 +0800] schema-compat-plugin -
>>>> warning: no entries set up under cn=computers,
>>>> cn=compat,dc=abc,dc=com
>>>> [29/Jun/2014:02:00:57 +0800] schema-compat-plugin -
>>>> warning: no entries set up under cn=ng,
>>>> cn=compat,dc=abc,dc=com
>>>> [29/Jun/2014:02:00:57 +0800] schema-compat-plugin -
>>>> warning: no entries set up under ou=sudoers,dc=abc,dc=com
>>>> [29/Jun/2014:02:00:57 +0800] - Skipping CoS Definition
>>>> cn=Password Policy,cn=accounts,dc=abc,dc=com--no CoS
>>>> Templates found, which should be added before the CoS
>>>> Definition.
>>>> [29/Jun/2014:02:00:57 +0800] set_krb5_creds - Could not
>>>> get initial credentials for principal
>>>> [ldap/server1.abc.com at abc.COM
>>>> <mailto:ldap/server1.abc.com at abc.COM>] in keytab
>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot
>>>> contact any KDC for requested realm)
>>>> [29/Jun/2014:02:00:58 +0800] - Skipping CoS Definition
>>>> cn=Password Policy,cn=accounts,dc=abc,dc=com--no CoS
>>>> Templates found, which should be added before the CoS
>>>> Definition.
>>>> [29/Jun/2014:02:00:58 +0800]
>>>> slapd_ldap_sasl_interactive_bind - Error: could not
>>>> perform interactive bind for id [] mech [GSSAPI]: LDAP
>>>> error -2 (Local error) (SASL(-1): generic failure:
>>>> GSSAPI Error: Unspecified GSS failure. Minor code may
>>>> provide more information (Credentials cache file
>>>> '/tmp/krb5cc_492' not found)) errno 0 (Success)
>>>> [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error:
>>>> could not perform interactive bind for id [] mech
>>>> [GSSAPI]: error -2 (Local error)
>>>> [29/Jun/2014:02:00:58 +0800] NSMMReplicationPlugin -
>>>> agmt="cn=meToserver2.abc.com
>>>> <http://meToserver2.abc.com>" (server2:389):
>>>> Replication bind with GSSAPI auth failed: LDAP error -2
>>>> (Local error) (SASL(-1): generic failure: GSSAPI Error:
>>>> Unspecified GSS failure. Minor code may provide more
>>>> information (Credentials cache file '/tmp/krb5cc_492'
>>>> not found))
>>>> [29/Jun/2014:02:00:58 +0800] - slapd started.
>>>> Listening on All Interfaces port 389 for LDAP requests
>>>> [29/Jun/2014:02:00:58 +0800] - Listening on All
>>>> Interfaces port 636 for LDAPS requests
>>>>
>>>>
>>>> 389-Directory/1.2.11.15 <http://1.2.11.15> B2013.240.174
>>>> server2.abc.com:636 <http://server2.abc.com:636>
>>>> (/etc/dirsrv/slapd-abc-COM)
>>>>
>>>> [30/Jun/2014:12:51:31 +0800]
>>>> slapd_ldap_sasl_interactive_bind - Error: could not
>>>> perform interactive bind for id [] mech [GSSAPI]: LDAP
>>>> error -2 (Local error) (SASL(-1): generic failure:
>>>> GSSAPI Error: Unspecified GSS failure. Minor code may
>>>> provide more information (Ticket expired)) errno 0
>>>> (Success)
>>>> [30/Jun/2014:12:51:31 +0800]
>>>> slapd_ldap_sasl_interactive_bind - Error: could not
>>>> perform interactive bind for id [] mech [GSSAPI]: LDAP
>>>> error -2 (Local error) (SASL(-1): generic failure:
>>>> GSSAPI Error: Unspecified GSS failure. Minor code may
>>>> provide more information (Ticket expired)) errno 0
>>>> (Success)
>>>> [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error:
>>>> could not perform interactive bind for id [] mech
>>>> [GSSAPI]: error -2 (Local error)
>>>> [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin -
>>>> agmt="cn=meToserver1.abc.com
>>>> <http://meToserver1.abc.com>" (server1:389):
>>>> Replication bind with GSSAPI auth failed: LDAP error -2
>>>> (Local error) (SASL(-1): generic failure: GSSAPI Error:
>>>> Unspecified GSS failure. Minor code may provide more
>>>> information (Ticket expired))
>>>> [30/Jun/2014:12:51:34 +0800]
>>>> slapd_ldap_sasl_interactive_bind - Error: could not
>>>> perform interactive bind for id [] mech [GSSAPI]: LDAP
>>>> error -2 (Local error) (SASL(-1): generic failure:
>>>> GSSAPI Error: Unspecified GSS failure. Minor code may
>>>> provide more information (Ticket expired)) errno 0
>>>> (Success)
>>>> [30/Jun/2014:12:51:35 +0800]
>>>> slapd_ldap_sasl_interactive_bind - Error: could not
>>>> perform interactive bind for id [] mech [GSSAPI]: LDAP
>>>> error -2 (Local error) (SASL(-1): generic failure:
>>>> GSSAPI Error: Unspecified GSS failure. Minor code may
>>>> provide more information (Ticket expired)) errno 0
>>>> (Success)
>>>> [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error:
>>>> could not perform interactive bind for id [] mech
>>>> [GSSAPI]: error -2 (Local error)
>>>> [30/Jun/2014:12:51:40 +0800]
>>>> slapd_ldap_sasl_interactive_bind - Error: could not
>>>> perform interactive bind for id [] mech [GSSAPI]: LDAP
>>>> error -2 (Local error) (SASL(-1): generic failure:
>>>> GSSAPI Error: Unspecified GSS failure. Minor code may
>>>> provide more information (Ticket expired)) errno 0
>>>> (Success)
>>>> [30/Jun/2014:12:51:40 +0800]
>>>> slapd_ldap_sasl_interactive_bind - Error: could not
>>>> perform interactive bind for id [] mech [GSSAPI]: LDAP
>>>> error -2 (Local error) (SASL(-1): generic failure:
>>>> GSSAPI Error: Unspecified GSS failure. Minor code may
>>>> provide more information (Ticket expired)) errno 0
>>>> (Success)
>>>> [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error:
>>>> could not perform interactive bind for id [] mech
>>>> [GSSAPI]: error -2 (Local error)
>>>> [30/Jun/2014:12:51:52 +0800] NSMMReplicationPlugin -
>>>> agmt="cn=meToserver1.abc.com
>>>> <http://meToserver1.abc.com>" (server1:389):
>>>> Replication bind with GSSAPI auth resumed
>>>>
>>>
>>> You are using an older version of 389. The version on
>>> server2 is older than the version on server1. Can you
>>> upgrade and see if that fixes your problems? Even if it
>>> doesn't fix your problems, it will be much easier for us
>>> to support.
>>>
>>>
>>>>
>>>> 2014-07-09 10:55 GMT+08:00 <barrykfl at gmail.com
>>>> <mailto:barrykfl at gmail.com>>:
>>>>
>>>> FYI..
>>>> 160: [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73
>>>> slot=73 connection from 192.168.156.89 to
>>>> 192.168.156.89
>>>> 163: [04/Jul/2014:12:35:30 +0800] conn=936207 op=-1
>>>> fd=73 closed - B1
>>>>
>>>> There is not abt binding but i unsure how to fix ..
>>>>
>>>>
>>>>
>>>>
>>>> 2014-07-09 2:01 GMT+08:00 Rich Megginson
>>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>>:
>>>>
>>>> On 07/08/2014 02:16 AM, barrykfl at gmail.com
>>>> <mailto:barrykfl at gmail.com> wrote:
>>>>> Resent as size limit.
>>>>>
>>>>>
>>>>> Here u are server1 's access log seem one
>>>>> side broken
>>>>>
>>>>> the problem is how to make it replicate again.
>>>>>
>>>>> At server 1
>>>>>
>>>>> it is ok master server1 master server2
>>>>>
>>>>>
>>>>> Another side server 2 contains 2 ip replication.
>>>>>
>>>>> ipa-replica-manage list shown Can't contact
>>>>> LDAP server
>>>>>
>>>>> I dont know why but the prolematic server is
>>>>> sever 2 not server 1
>>>>>
>>>>> log of server2
>>>>> [08/Jul/2014:16:02:40 +0800] conn=3299731
>>>>> fd=69 slot=69 connection from 192.168.15.89
>>>>> (server1) to 192.168.15.88(server2)
>>>>> [08/Jul/2014:16:02:40 +0800] conn=3299731
>>>>> op=-1 fd=69 closed - B1
>>>>> [08/Jul/2014:16:02:40 +0800] conn=3299732
>>>>> fd=69 slot=69 connection from 192.168.15.89 to
>>>>> 192.168.15.88
>>>>> [08/Jul/2014:16:02:40 +0800] conn=3299732
>>>>> op=-1 fd=69 closed - B1
>>>>> [08/Jul/2014:16:02:41 +0800] conn=3299733
>>>>> fd=69 slot=69 connection from 192.168.15.89 to
>>>>> 192.168.15.88
>>>>> [08/Jul/2014:16:02:41 +0800] conn=3299733
>>>>> op=-1 fd=69 closed - B1
>>>>
>>>> You never answered my question below. "Are you
>>>> sure that this connection is a replication
>>>> session? Can you post all of the operations
>>>> from the access log from conn=936207?"
>>>>
>>>> In the future, please avoid spamming the list
>>>> with large log files. In general, it's better
>>>> to provide excerpts from the log files showing
>>>> the problem, paste them to fpaste.org
>>>> <http://fpaste.org>, and post the link to the
>>>> mailing list. If for some reason you need to
>>>> post a large file, please use a file sharing
>>>> service and post the link to the file.
>>>>
>>>> Can you take a look at your errors log from
>>>> server 1 and server 2 and see if there are any
>>>> relevant errors?
>>>>
>>>> If I had to guess, I would say that there is
>>>> some sort of network error between server 1 and
>>>> server 2 that causes the excessive closed - B1.
>>>> Perhaps there will be more information in the
>>>> errors log.
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2014-07-07 22:21 GMT+08:00 Rich Megginson
>>>>> <rmeggins at redhat.com
>>>>> <mailto:rmeggins at redhat.com>>:
>>>>>
>>>>> On 07/04/2014 03:28 AM, barrykfl at gmail.com
>>>>> <mailto:barrykfl at gmail.com> wrote:
>>>>>> FOUND something strange that server 1
>>>>>> replicate to itself rather than server2
>>>>>>
>>>>>> Server1 access log > Wrong
>>>>>> [04/Jul/2014:12:35:30 +0800] conn=936207
>>>>>> fd=73 slot=73 connection from
>>>>>> 192.168.15.89( server1 ) to
>>>>>> 192.168.15.89 (server1)
>>>>>
>>>>> Are you sure that this connection is a
>>>>> replication session? Can you post all of
>>>>> the operations from the access log from
>>>>> conn=936207?
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> Server 2 access log > OK
>>>>>> [04/Jul/2014:12:35:30 +0800] conn=936208
>>>>>> fd=74 slot=74 connection from
>>>>>> 192.168.15.89(server2) to 192.168.15.88
>>>>>> (server2)
>>>>>>
>>>>>>
>>>>>> 2014-07-04 9:25 GMT+08:00
>>>>>> <barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>>:
>>>>>>
>>>>>> Just sure now one side flow is
>>>>>> broken, if u update server1 , it 100%
>>>>>> work server2 will upgrade.
>>>>>> but if u update server2 there is
>>>>>> chance non-syn e.g it create username
>>>>>> in server1 with posfix grp >ok
>>>>>> but in server2 it only created posfix
>>>>>> grp but no username /attribute it
>>>>>> occur serveral times. I have to use
>>>>>> command line grp del ...etc. to force
>>>>>> del them and recreate them.,.
>>>>>>
>>>>>> Result below:
>>>>>>
>>>>>> server2.abc.com
>>>>>> <http://server2.abc.com>: replica
>>>>>> last init status: None
>>>>>> last init ended: None
>>>>>> last update status: 0 Replica
>>>>>> acquired successfully: Incremental
>>>>>> update succeeded
>>>>>> last update ended: 2014-07-04
>>>>>> 00:33:18+00:00
>>>>>>
>>>>>> Directory Manager password:
>>>>>>
>>>>>> server1.abc.com
>>>>>> <http://server1.abc.com>: replica
>>>>>> last init status: 0 Total update
>>>>>> succeeded
>>>>>> last init ended: 2014-06-20
>>>>>> 10:07:02+00:00
>>>>>> last update status: 0 Replica
>>>>>> acquired successfully: Incremental
>>>>>> update succeeded
>>>>>> last update ended: 2014-07-04
>>>>>> 01:14:19+00:00
>>>>>>
>>>>>>
>>>>>>
>>>>>> [root@(LIVE)server2 ~]$ ipactl status
>>>>>> Directory Service: RUNNING
>>>>>> KDC Service: RUNNING
>>>>>> KPASSWD Service: RUNNING
>>>>>> MEMCACHE Service: RUNNING
>>>>>> HTTP Service: RUNNING
>>>>>>
>>>>>>
>>>>>> 2014-07-04 1:34 GMT+08:00 Rob
>>>>>> Crittenden <rcritten at redhat.com
>>>>>> <mailto:rcritten at redhat.com>>:
>>>>>>
>>>>>> barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com> wrote:
>>>>>> > Yes they are running. Server 1
>>>>>> can syn to server2 but error at
>>>>>> server 2
>>>>>> > like this.
>>>>>>
>>>>>> How do you know server 1 is
>>>>>> syncing with server 2?
>>>>>>
>>>>>> On server 1 I'd run:
>>>>>>
>>>>>> ipa-replica-manage list -v `hostname`
>>>>>>
>>>>>> This will show the replication
>>>>>> status.
>>>>>>
>>>>>> And what does ipactl status show
>>>>>> on server 2?
>>>>>>
>>>>>> rob
>>>>>>
>>>>>> >
>>>>>> > 2014/7/3 下午10:14 於 "Rob
>>>>>> Crittenden" <rcritten at redhat.com
>>>>>> <mailto:rcritten at redhat.com>
>>>>>> > <mailto:rcritten at redhat.com
>>>>>> <mailto:rcritten at redhat.com>>> 寫道:
>>>>>> >
>>>>>> > Please keep relies on the list.
>>>>>> >
>>>>>> > barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>
>>>>>> <mailto:barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>> wrote:
>>>>>> > > I saw the error beloe and
>>>>>> errpr log is it related ?
>>>>>> > >
>>>>>> > > 29/Jun/2014:02:00:58
>>>>>> +0800]
>>>>>> slapd_ldap_sasl_interactive_bind
>>>>>> - Error:
>>>>>> > > could not perform
>>>>>> interactive bind for id [] mech
>>>>>> [GSSAPI]: LDAP error
>>>>>> > > -2 (Local error)
>>>>>> (SASL(-1): generic failure:
>>>>>> GSSAPI Error: Unspecified
>>>>>> > > GSS failure. Minor code
>>>>>> may provide more information
>>>>>> (Credentials
>>>>>> > cache
>>>>>> > > file '/tmp/krb5cc_492'
>>>>>> not found)) errno 0 (Success)
>>>>>> > > [29/Jun/2014:02:00:58
>>>>>> +0800] slapi_ldap_bind - Error:
>>>>>> could not
>>>>>> > perform
>>>>>> > > interactive bind for id
>>>>>> [] mech [GSSAPI]: error -2 (Local
>>>>>> error)
>>>>>> >
>>>>>> > I believe this is fairly
>>>>>> normal on a new startup. It has
>>>>>> to start
>>>>>> > somewhere. The expired ticket
>>>>>> errors below are unexpected since
>>>>>> there
>>>>>> > are so many of them. Is
>>>>>> your KDC running?
>>>>>> >
>>>>>> > ipactl status
>>>>>> >
>>>>>> > rob
>>>>>> >
>>>>>> > >
>>>>>> > >
>>>>>> > > 2014-07-02 14:15
>>>>>> GMT+08:00 <barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>
>>>>>> > <mailto:barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>>
>>>>>> <mailto:barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>
>>>>>> > <mailto:barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>>>>:
>>>>>> > >
>>>>>> > >
>>>>>> > > this is the error log
>>>>>> i found at 2.abc.com
>>>>>> <http://2.abc.com> <http://2.abc.com>
>>>>>> > <http://2.abc.com>
>>>>>> > >
>>>>>> > > [30/Jun/2014:12:51:31
>>>>>> +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not
>>>>>> perform interactive bind for id
>>>>>> [] mech [GSSAPI]:
>>>>>> > > LDAP error -2 (Local
>>>>>> error) (SASL(-1): generic
>>>>>> failure: GSSAPI
>>>>>> > > Error: Unspecified
>>>>>> GSS failure. Minor code may
>>>>>> provide more
>>>>>> > > information (Ticket
>>>>>> expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:31
>>>>>> +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not
>>>>>> perform interactive bind for id
>>>>>> [] mech [GSSAPI]:
>>>>>> > > LDAP error -2 (Local
>>>>>> error) (SASL(-1): generic
>>>>>> failure: GSSAPI
>>>>>> > > Error: Unspecified
>>>>>> GSS failure. Minor code may
>>>>>> provide more
>>>>>> > > information (Ticket
>>>>>> expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:31
>>>>>> +0800] slapi_ldap_bind - Error:
>>>>>> could not
>>>>>> > > perform interactive
>>>>>> bind for id [] mech [GSSAPI]:
>>>>>> error -2
>>>>>> > (Local error)
>>>>>> > > [30/Jun/2014:12:51:31
>>>>>> +0800] NSMMReplicationPlugin -
>>>>>> > >
>>>>>> agmt="cn=meTo1.abc.com
>>>>>> <http://meTo1.abc.com>
>>>>>> <http://meTo1.abc.com>
>>>>>> > <http://meTo1.abc.com>"
>>>>>> (central:389):
>>>>>> > > Replication bind with
>>>>>> GSSAPI auth failed: LDAP error -2
>>>>>> (Local
>>>>>> > > error) (SASL(-1):
>>>>>> generic failure: GSSAPI Error:
>>>>>> Unspecified GSS
>>>>>> > > failure. Minor code
>>>>>> may provide more information (Ticket
>>>>>> > expired))
>>>>>> > > [30/Jun/2014:12:51:34
>>>>>> +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not
>>>>>> perform interactive bind for id
>>>>>> [] mech [GSSAPI]:
>>>>>> > > LDAP error -2 (Local
>>>>>> error) (SASL(-1): generic
>>>>>> failure: GSSAPI
>>>>>> > > Error: Unspecified
>>>>>> GSS failure. Minor code may
>>>>>> provide more
>>>>>> > > information (Ticket
>>>>>> expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:35
>>>>>> +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not
>>>>>> perform interactive bind for id
>>>>>> [] mech [GSSAPI]:
>>>>>> > > LDAP error -2 (Local
>>>>>> error) (SASL(-1): generic
>>>>>> failure: GSSAPI
>>>>>> > > Error: Unspecified
>>>>>> GSS failure. Minor code may
>>>>>> provide more
>>>>>> > > information (Ticket
>>>>>> expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:35
>>>>>> +0800] slapi_ldap_bind - Error:
>>>>>> could not
>>>>>> > > perform interactive
>>>>>> bind for id [] mech [GSSAPI]:
>>>>>> error -2
>>>>>> > (Local error)
>>>>>> > > [30/Jun/2014:12:51:40
>>>>>> +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not
>>>>>> perform interactive bind for id
>>>>>> [] mech [GSSAPI]:
>>>>>> > > LDAP error -2 (Local
>>>>>> error) (SASL(-1): generic
>>>>>> failure: GSSAPI
>>>>>> > > Error: Unspecified
>>>>>> GSS failure. Minor code may
>>>>>> provide more
>>>>>> > > information (Ticket
>>>>>> expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:40
>>>>>> +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not
>>>>>> perform interactive bind for id
>>>>>> [] mech [GSSAPI]:
>>>>>> > > LDAP error -2 (Local
>>>>>> error) (SASL(-1): generic
>>>>>> failure: GSSAPI
>>>>>> > > Error: Unspecified
>>>>>> GSS failure. Minor code may
>>>>>> provide more
>>>>>> > > information (Ticket
>>>>>> expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:40
>>>>>> +0800] slapi_ldap_bind - Error:
>>>>>> could not
>>>>>> > > perform interactive
>>>>>> bind for id [] mech [GSSAPI]:
>>>>>> error -2
>>>>>> > (Local error)
>>>>>> > >
>>>>>> > >
>>>>>> > > 2014-07-02 12:32
>>>>>> GMT+08:00 <barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>
>>>>>> > <mailto:barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>>
>>>>>> > >
>>>>>> <mailto:barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>
>>>>>> <mailto:barrykfl at gmail.com
>>>>>> <mailto:barrykfl at gmail.com>>>>:
>>>>>> > >
>>>>>> > > yes on node 1 it
>>>>>> is happening only node2 fail connect
>>>>>> > >
>>>>>> > > ipa-replica-manage list
>>>>>> 2.abc.com <http://2.abc.com>
>>>>>> <http://2.abc.com>
>>>>>> > <http://2.abc.com>
>>>>>> > > Directory Manager password:
>>>>>> > >
>>>>>> > > 1.abc.com
>>>>>> <http://1.abc.com>
>>>>>> <http://1.abc.com>
>>>>>> <http://1.abc.com>: replica
>>>>>> > >
>>>>>> > >
>>>>>> > >
>>>>>> > > 2014-06-30 20:59
>>>>>> GMT+08:00 Rob Crittenden
>>>>>> > <rcritten at redhat.com
>>>>>> <mailto:rcritten at redhat.com>
>>>>>> <mailto:rcritten at redhat.com
>>>>>> <mailto:rcritten at redhat.com>>
>>>>>> > >
>>>>>> <mailto:rcritten at redhat.com
>>>>>> <mailto:rcritten at redhat.com>
>>>>>> <mailto:rcritten at redhat.com
>>>>>> <mailto:rcritten at redhat.com>>>>:
>>>>>> > >
>>>>>> > > Barry wrote:
>>>>>> > > > Hi:
>>>>>> > >
>>>>>>
> ...
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140710/5ad5829b/attachment.htm>
More information about the Freeipa-users
mailing list