[Freeipa-users] ipa-replica-manage list fail on server 2
Rich Megginson
rmeggins at redhat.com
Tue Jul 8 18:01:37 UTC 2014
On 07/08/2014 02:16 AM, barrykfl at gmail.com wrote:
> Resent as size limit.
>
>
> Here u are server1 's access log seem one side broken
>
> the problem is how to make it replicate again.
>
> At server 1
>
> it is ok master server1 master server2
>
>
> Another side server 2 contains 2 ip replication.
>
> ipa-replica-manage list shown Can't contact LDAP server
>
> I dont know why but the prolematic server is sever 2 not server 1
>
> log of server2
> [08/Jul/2014:16:02:40 +0800] conn=3299731 fd=69 slot=69 connection
> from 192.168.15.89 (server1) to 192.168.15.88(server2)
> [08/Jul/2014:16:02:40 +0800] conn=3299731 op=-1 fd=69 closed - B1
> [08/Jul/2014:16:02:40 +0800] conn=3299732 fd=69 slot=69 connection
> from 192.168.15.89 to 192.168.15.88
> [08/Jul/2014:16:02:40 +0800] conn=3299732 op=-1 fd=69 closed - B1
> [08/Jul/2014:16:02:41 +0800] conn=3299733 fd=69 slot=69 connection
> from 192.168.15.89 to 192.168.15.88
> [08/Jul/2014:16:02:41 +0800] conn=3299733 op=-1 fd=69 closed - B1
You never answered my question below. "Are you sure that this
connection is a replication session? Can you post all of the operations
from the access log from conn=936207?"
In the future, please avoid spamming the list with large log files. In
general, it's better to provide excerpts from the log files showing the
problem, paste them to fpaste.org, and post the link to the mailing
list. If for some reason you need to post a large file, please use a
file sharing service and post the link to the file.
Can you take a look at your errors log from server 1 and server 2 and
see if there are any relevant errors?
If I had to guess, I would say that there is some sort of network error
between server 1 and server 2 that causes the excessive closed - B1.
Perhaps there will be more information in the errors log.
>
>
>
> 2014-07-07 22:21 GMT+08:00 Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>:
>
> On 07/04/2014 03:28 AM, barrykfl at gmail.com
> <mailto:barrykfl at gmail.com> wrote:
>> FOUND something strange that server 1 replicate to itself rather
>> than server2
>>
>> Server1 access log > Wrong
>> [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection
>> from 192.168.15.89( server1 ) to 192.168.15.89 (server1)
>
> Are you sure that this connection is a replication session? Can
> you post all of the operations from the access log from conn=936207?
>
>
>>
>>
>> Server 2 access log > OK
>> [04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74 connection
>> from 192.168.15.89(server2) to 192.168.15.88 (server2)
>>
>>
>> 2014-07-04 9:25 GMT+08:00 <barrykfl at gmail.com
>> <mailto:barrykfl at gmail.com>>:
>>
>> Just sure now one side flow is broken, if u update server1 ,
>> it 100% work server2 will upgrade.
>> but if u update server2 there is chance non-syn e.g it create
>> username in server1 with posfix grp >ok
>> but in server2 it only created posfix grp but no username
>> /attribute it occur serveral times. I have to use command
>> line grp del ...etc. to force del them and recreate them.,.
>>
>> Result below:
>>
>> server2.abc.com <http://server2.abc.com>: replica
>> last init status: None
>> last init ended: None
>> last update status: 0 Replica acquired successfully:
>> Incremental update succeeded
>> last update ended: 2014-07-04 00:33:18+00:00
>>
>> Directory Manager password:
>>
>> server1.abc.com <http://server1.abc.com>: replica
>> last init status: 0 Total update succeeded
>> last init ended: 2014-06-20 10:07:02+00:00
>> last update status: 0 Replica acquired successfully:
>> Incremental update succeeded
>> last update ended: 2014-07-04 01:14:19+00:00
>>
>>
>>
>> [root@(LIVE)server2 ~]$ ipactl status
>> Directory Service: RUNNING
>> KDC Service: RUNNING
>> KPASSWD Service: RUNNING
>> MEMCACHE Service: RUNNING
>> HTTP Service: RUNNING
>>
>>
>> 2014-07-04 1:34 GMT+08:00 Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>:
>>
>> barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
>> > Yes they are running. Server 1 can syn to server2 but
>> error at server 2
>> > like this.
>>
>> How do you know server 1 is syncing with server 2?
>>
>> On server 1 I'd run:
>>
>> ipa-replica-manage list -v `hostname`
>>
>> This will show the replication status.
>>
>> And what does ipactl status show on server 2?
>>
>> rob
>>
>> >
>> > 2014/7/3 下午10:14 於 "Rob Crittenden"
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> > <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>> 寫道:
>> >
>> > Please keep relies on the list.
>> >
>> > barrykfl at gmail.com <mailto:barrykfl at gmail.com>
>> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
>> wrote:
>> > > I saw the error beloe and errpr log is it related ?
>> > >
>> > > 29/Jun/2014:02:00:58 +0800]
>> slapd_ldap_sasl_interactive_bind - Error:
>> > > could not perform interactive bind for id [] mech
>> [GSSAPI]: LDAP error
>> > > -2 (Local error) (SASL(-1): generic failure:
>> GSSAPI Error: Unspecified
>> > > GSS failure. Minor code may provide more
>> information (Credentials
>> > cache
>> > > file '/tmp/krb5cc_492' not found)) errno 0 (Success)
>> > > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind -
>> Error: could not
>> > perform
>> > > interactive bind for id [] mech [GSSAPI]: error
>> -2 (Local error)
>> >
>> > I believe this is fairly normal on a new startup.
>> It has to start
>> > somewhere. The expired ticket errors below are
>> unexpected since there
>> > are so many of them. Is your KDC running?
>> >
>> > ipactl status
>> >
>> > rob
>> >
>> > >
>> > >
>> > > 2014-07-02 14:15 GMT+08:00 <barrykfl at gmail.com
>> <mailto:barrykfl at gmail.com>
>> > <mailto:barrykfl at gmail.com
>> <mailto:barrykfl at gmail.com>> <mailto:barrykfl at gmail.com
>> <mailto:barrykfl at gmail.com>
>> > <mailto:barrykfl at gmail.com
>> <mailto:barrykfl at gmail.com>>>>:
>> > >
>> > >
>> > > this is the error log i found at 2.abc.com
>> <http://2.abc.com> <http://2.abc.com>
>> > <http://2.abc.com>
>> > >
>> > > [30/Jun/2014:12:51:31 +0800]
>> slapd_ldap_sasl_interactive_bind -
>> > > Error: could not perform interactive bind for
>> id [] mech [GSSAPI]:
>> > > LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI
>> > > Error: Unspecified GSS failure. Minor code
>> may provide more
>> > > information (Ticket expired)) errno 0 (Success)
>> > > [30/Jun/2014:12:51:31 +0800]
>> slapd_ldap_sasl_interactive_bind -
>> > > Error: could not perform interactive bind for
>> id [] mech [GSSAPI]:
>> > > LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI
>> > > Error: Unspecified GSS failure. Minor code
>> may provide more
>> > > information (Ticket expired)) errno 0 (Success)
>> > > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind -
>> Error: could not
>> > > perform interactive bind for id [] mech
>> [GSSAPI]: error -2
>> > (Local error)
>> > > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin -
>> > > agmt="cn=meTo1.abc.com <http://meTo1.abc.com>
>> <http://meTo1.abc.com>
>> > <http://meTo1.abc.com>" (central:389):
>> > > Replication bind with GSSAPI auth failed:
>> LDAP error -2 (Local
>> > > error) (SASL(-1): generic failure: GSSAPI
>> Error: Unspecified GSS
>> > > failure. Minor code may provide more
>> information (Ticket
>> > expired))
>> > > [30/Jun/2014:12:51:34 +0800]
>> slapd_ldap_sasl_interactive_bind -
>> > > Error: could not perform interactive bind for
>> id [] mech [GSSAPI]:
>> > > LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI
>> > > Error: Unspecified GSS failure. Minor code
>> may provide more
>> > > information (Ticket expired)) errno 0 (Success)
>> > > [30/Jun/2014:12:51:35 +0800]
>> slapd_ldap_sasl_interactive_bind -
>> > > Error: could not perform interactive bind for
>> id [] mech [GSSAPI]:
>> > > LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI
>> > > Error: Unspecified GSS failure. Minor code
>> may provide more
>> > > information (Ticket expired)) errno 0 (Success)
>> > > [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind -
>> Error: could not
>> > > perform interactive bind for id [] mech
>> [GSSAPI]: error -2
>> > (Local error)
>> > > [30/Jun/2014:12:51:40 +0800]
>> slapd_ldap_sasl_interactive_bind -
>> > > Error: could not perform interactive bind for
>> id [] mech [GSSAPI]:
>> > > LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI
>> > > Error: Unspecified GSS failure. Minor code
>> may provide more
>> > > information (Ticket expired)) errno 0 (Success)
>> > > [30/Jun/2014:12:51:40 +0800]
>> slapd_ldap_sasl_interactive_bind -
>> > > Error: could not perform interactive bind for
>> id [] mech [GSSAPI]:
>> > > LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI
>> > > Error: Unspecified GSS failure. Minor code
>> may provide more
>> > > information (Ticket expired)) errno 0 (Success)
>> > > [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind -
>> Error: could not
>> > > perform interactive bind for id [] mech
>> [GSSAPI]: error -2
>> > (Local error)
>> > >
>> > >
>> > > 2014-07-02 12:32 GMT+08:00
>> <barrykfl at gmail.com <mailto:barrykfl at gmail.com>
>> > <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
>> > > <mailto:barrykfl at gmail.com
>> <mailto:barrykfl at gmail.com> <mailto:barrykfl at gmail.com
>> <mailto:barrykfl at gmail.com>>>>:
>> > >
>> > > yes on node 1 it is happening only node2
>> fail connect
>> > >
>> > > ipa-replica-manage list 2.abc.com
>> <http://2.abc.com> <http://2.abc.com>
>> > <http://2.abc.com>
>> > > Directory Manager password:
>> > >
>> > > 1.abc.com <http://1.abc.com> <http://1.abc.com>
>> <http://1.abc.com>: replica
>> > >
>> > >
>> > >
>> > > 2014-06-30 20:59 GMT+08:00 Rob Crittenden
>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
>> > > <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>>>:
>> > >
>> > > Barry wrote:
>> > > > Hi:
>> > > >
>> > > > Server 1 and Sever 2 is cluster
>> master master
>> > orginally ,
>> > > but server 2
>> > > > fail to connect server1 ,.
>> > > >
>> > > > ipa-replica-manage list shown Can't
>> contact LDAP server
>> > > >
>> > > > But as server1 it is ok master
>> server1 master server2 ,
>> > > >
>> > > > It seem affect if update on server
>> 1 then it syn to
>> > > server2 no problem
>> > > > but sometimes if modfy in server2
>> if fail to update
>> > server1.
>> > > >
>> > > > Any idea to rebuild mutual
>> relationship.?
>> > >
>> > > The first step is to diagnose what is
>> wrong. I've already
>> > > suggested a
>> > > few things,
>> > >
>> >
>> https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html
>> > >
>> > > rob
>> > >
>> > > --
>> > > Manage your subscription for the
>> Freeipa-users mailing
>> > list:
>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > Go To http://freeipa.org for more
>> info on the project
>> > >
>> > >
>> > >
>> > >
>> >
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140708/bb297754/attachment.htm>
More information about the Freeipa-users
mailing list