[Freeipa-users] ipa-replica-manage list fail on server 2
barrykfl at gmail.com
barrykfl at gmail.com
Thu Jul 10 02:36:11 UTC 2014
Hi :
What is the procedure for this minor update ?
just yum update ipa-server after stop the server? and effect of the exsitn
ldap?
As the server 2 is master of replica also , so need refo ipa-replica
install ?
barry
2014-07-09 22:20 GMT+08:00 Rich Megginson <rmeggins at redhat.com>:
> On 07/08/2014 09:02 PM, barrykfl at gmail.com wrote:
>
> Some error i found :
>
>
> server1.abc.com:636 (/etc/dirsrv/slapd-abc-COM)
>
> [29/Jun/2014:02:00:56 +0800] - 389-Directory/1.2.11.25 B2013.325.1951
> starting up
> [29/Jun/2014:02:00:56 +0800] attrcrypt - attrcrypt_unwrap_key: failed to
> unwrap key for cipher AES
> [29/Jun/2014:02:00:56 +0800] attrcrypt - attrcrypt_cipher_init: symmetric
> key failed to unwrap with the private key; Cert might have been renewed
> since the key is wrapped. To recover the encrypted contents, keep the
> wrapped symmetric key value.
> [29/Jun/2014:02:00:56 +0800] attrcrypt - attrcrypt_unwrap_key: failed to
> unwrap key for cipher 3DES
> [29/Jun/2014:02:00:56 +0800] attrcrypt - attrcrypt_cipher_init: symmetric
> key failed to unwrap with the private key; Cert might have been renewed
> since the key is wrapped. To recover the encrypted contents, keep the
> wrapped symmetric key value.
> [29/Jun/2014:02:00:56 +0800] attrcrypt - All prepared ciphers are not
> available. Please disable attribute encryption.
> [29/Jun/2014:02:00:56 +0800] schema-compat-plugin - warning: no entries
> set up under cn=computers, cn=compat,dc=abc,dc=com
> [29/Jun/2014:02:00:57 +0800] schema-compat-plugin - warning: no entries
> set up under cn=ng, cn=compat,dc=abc,dc=com
> [29/Jun/2014:02:00:57 +0800] schema-compat-plugin - warning: no entries
> set up under ou=sudoers,dc=abc,dc=com
> [29/Jun/2014:02:00:57 +0800] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=abc,dc=com--no CoS Templates found, which should be
> added before the CoS Definition.
> [29/Jun/2014:02:00:57 +0800] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1.abc.com at abc.COM] in keytab [
> FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
> requested realm)
> [29/Jun/2014:02:00:58 +0800] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=abc,dc=com--no CoS Templates found, which should be
> added before the CoS Definition.
> [29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Credentials cache file
> '/tmp/krb5cc_492' not found)) errno 0 (Success)
> [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [29/Jun/2014:02:00:58 +0800] NSMMReplicationPlugin - agmt="cn=
> meToserver2.abc.com" (server2:389): Replication bind with GSSAPI auth
> failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure. Minor code may provide more information
> (Credentials cache file '/tmp/krb5cc_492' not found))
> [29/Jun/2014:02:00:58 +0800] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [29/Jun/2014:02:00:58 +0800] - Listening on All Interfaces port 636 for
> LDAPS requests
>
>
> 389-Directory/1.2.11.15 B2013.240.174
> server2.abc.com:636 (/etc/dirsrv/slapd-abc-COM)
>
> [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Ticket expired)) errno 0
> (Success)
> [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Ticket expired)) errno 0
> (Success)
> [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin - agmt="cn=
> meToserver1.abc.com" (server1:389): Replication bind with GSSAPI auth
> failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure. Minor code may provide more information
> (Ticket expired))
> [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Ticket expired)) errno 0
> (Success)
> [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Ticket expired)) errno 0
> (Success)
> [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Ticket expired)) errno 0
> (Success)
> [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Ticket expired)) errno 0
> (Success)
> [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [30/Jun/2014:12:51:52 +0800] NSMMReplicationPlugin - agmt="cn=
> meToserver1.abc.com" (server1:389): Replication bind with GSSAPI auth
> resumed
>
>
> You are using an older version of 389. The version on server2 is older
> than the version on server1. Can you upgrade and see if that fixes your
> problems? Even if it doesn't fix your problems, it will be much easier for
> us to support.
>
>
>
> 2014-07-09 10:55 GMT+08:00 <barrykfl at gmail.com>:
>
>> FYI..
>> 160: [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection
>> from 192.168.156.89 to 192.168.156.89
>> 163: [04/Jul/2014:12:35:30 +0800] conn=936207 op=-1 fd=73 closed - B1
>>
>> There is not abt binding but i unsure how to fix ..
>>
>>
>>
>>
>> 2014-07-09 2:01 GMT+08:00 Rich Megginson <rmeggins at redhat.com>:
>>
>> On 07/08/2014 02:16 AM, barrykfl at gmail.com wrote:
>>>
>>> Resent as size limit.
>>>
>>>
>>> Here u are server1 's access log seem one side broken
>>>
>>> the problem is how to make it replicate again.
>>>
>>> At server 1
>>>
>>> it is ok master server1 master server2
>>>
>>>
>>> Another side server 2 contains 2 ip replication.
>>>
>>> ipa-replica-manage list shown Can't contact LDAP server
>>>
>>> I dont know why but the prolematic server is sever 2 not server 1
>>>
>>> log of server2
>>> [08/Jul/2014:16:02:40 +0800] conn=3299731 fd=69 slot=69 connection from
>>> 192.168.15.89 (server1) to 192.168.15.88(server2)
>>> [08/Jul/2014:16:02:40 +0800] conn=3299731 op=-1 fd=69 closed - B1
>>> [08/Jul/2014:16:02:40 +0800] conn=3299732 fd=69 slot=69 connection from
>>> 192.168.15.89 to 192.168.15.88
>>> [08/Jul/2014:16:02:40 +0800] conn=3299732 op=-1 fd=69 closed - B1
>>> [08/Jul/2014:16:02:41 +0800] conn=3299733 fd=69 slot=69 connection from
>>> 192.168.15.89 to 192.168.15.88
>>> [08/Jul/2014:16:02:41 +0800] conn=3299733 op=-1 fd=69 closed - B1
>>>
>>>
>>> You never answered my question below. "Are you sure that this
>>> connection is a replication session? Can you post all of the operations
>>> from the access log from conn=936207?"
>>>
>>> In the future, please avoid spamming the list with large log files. In
>>> general, it's better to provide excerpts from the log files showing the
>>> problem, paste them to fpaste.org, and post the link to the mailing
>>> list. If for some reason you need to post a large file, please use a file
>>> sharing service and post the link to the file.
>>>
>>> Can you take a look at your errors log from server 1 and server 2 and
>>> see if there are any relevant errors?
>>>
>>> If I had to guess, I would say that there is some sort of network error
>>> between server 1 and server 2 that causes the excessive closed - B1.
>>> Perhaps there will be more information in the errors log.
>>>
>>>
>>>
>>>
>>>
>>> 2014-07-07 22:21 GMT+08:00 Rich Megginson <rmeggins at redhat.com>:
>>>
>>>> On 07/04/2014 03:28 AM, barrykfl at gmail.com wrote:
>>>>
>>>> FOUND something strange that server 1 replicate to itself rather than
>>>> server2
>>>>
>>>> Server1 access log > Wrong
>>>> [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from
>>>> 192.168.15.89( server1 ) to 192.168.15.89 (server1)
>>>>
>>>>
>>>> Are you sure that this connection is a replication session? Can you
>>>> post all of the operations from the access log from conn=936207?
>>>>
>>>>
>>>>
>>>>
>>>> Server 2 access log > OK
>>>> [04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74 connection from
>>>> 192.168.15.89(server2) to 192.168.15.88 (server2)
>>>>
>>>>
>>>> 2014-07-04 9:25 GMT+08:00 <barrykfl at gmail.com>:
>>>>
>>>>> Just sure now one side flow is broken, if u update server1 , it 100%
>>>>> work server2 will upgrade.
>>>>> but if u update server2 there is chance non-syn e.g it create
>>>>> username in server1 with posfix grp >ok
>>>>> but in server2 it only created posfix grp but no username /attribute
>>>>> it occur serveral times. I have to use command line grp del ...etc. to
>>>>> force del them and recreate them.,.
>>>>>
>>>>> Result below:
>>>>>
>>>>> server2.abc.com: replica
>>>>> last init status: None
>>>>> last init ended: None
>>>>> last update status: 0 Replica acquired successfully: Incremental
>>>>> update succeeded
>>>>> last update ended: 2014-07-04 00:33:18+00:00
>>>>>
>>>>> Directory Manager password:
>>>>>
>>>>> server1.abc.com: replica
>>>>> last init status: 0 Total update succeeded
>>>>> last init ended: 2014-06-20 10:07:02+00:00
>>>>> last update status: 0 Replica acquired successfully: Incremental
>>>>> update succeeded
>>>>> last update ended: 2014-07-04 01:14:19+00:00
>>>>>
>>>>>
>>>>>
>>>>> [root@(LIVE)server2 ~]$ ipactl status
>>>>> Directory Service: RUNNING
>>>>> KDC Service: RUNNING
>>>>> KPASSWD Service: RUNNING
>>>>> MEMCACHE Service: RUNNING
>>>>> HTTP Service: RUNNING
>>>>>
>>>>>
>>>>> 2014-07-04 1:34 GMT+08:00 Rob Crittenden <rcritten at redhat.com>:
>>>>>
>>>>> barrykfl at gmail.com wrote:
>>>>>> > Yes they are running. Server 1 can syn to server2 but error at
>>>>>> server 2
>>>>>> > like this.
>>>>>>
>>>>>> How do you know server 1 is syncing with server 2?
>>>>>>
>>>>>> On server 1 I'd run:
>>>>>>
>>>>>> ipa-replica-manage list -v `hostname`
>>>>>>
>>>>>> This will show the replication status.
>>>>>>
>>>>>> And what does ipactl status show on server 2?
>>>>>>
>>>>>> rob
>>>>>>
>>>>>> >
>>>>>> > 2014/7/3 下午10:14 於 "Rob Crittenden" <rcritten at redhat.com
>>>>>> > <mailto:rcritten at redhat.com>> 寫道:
>>>>>> >
>>>>>> > Please keep relies on the list.
>>>>>> >
>>>>>> > barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
>>>>>> > > I saw the error beloe and errpr log is it related ?
>>>>>> > >
>>>>>> > > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind
>>>>>> - Error:
>>>>>> > > could not perform interactive bind for id [] mech [GSSAPI]:
>>>>>> LDAP error
>>>>>> > > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
>>>>>> Unspecified
>>>>>> > > GSS failure. Minor code may provide more information
>>>>>> (Credentials
>>>>>> > cache
>>>>>> > > file '/tmp/krb5cc_492' not found)) errno 0 (Success)
>>>>>> > > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could
>>>>>> not
>>>>>> > perform
>>>>>> > > interactive bind for id [] mech [GSSAPI]: error -2 (Local
>>>>>> error)
>>>>>> >
>>>>>> > I believe this is fairly normal on a new startup. It has to
>>>>>> start
>>>>>> > somewhere. The expired ticket errors below are unexpected since
>>>>>> there
>>>>>> > are so many of them. Is your KDC running?
>>>>>> >
>>>>>> > ipactl status
>>>>>> >
>>>>>> > rob
>>>>>> >
>>>>>> > >
>>>>>> > >
>>>>>> > > 2014-07-02 14:15 GMT+08:00 <barrykfl at gmail.com
>>>>>> > <mailto:barrykfl at gmail.com> <mailto:barrykfl at gmail.com
>>>>>> > <mailto:barrykfl at gmail.com>>>:
>>>>>> > >
>>>>>> > >
>>>>>> > > this is the error log i found at 2.abc.com <
>>>>>> http://2.abc.com>
>>>>>> > <http://2.abc.com>
>>>>>> > >
>>>>>> > > [30/Jun/2014:12:51:31 +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not perform interactive bind for id [] mech
>>>>>> [GSSAPI]:
>>>>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>>>>> GSSAPI
>>>>>> > > Error: Unspecified GSS failure. Minor code may provide
>>>>>> more
>>>>>> > > information (Ticket expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:31 +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not perform interactive bind for id [] mech
>>>>>> [GSSAPI]:
>>>>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>>>>> GSSAPI
>>>>>> > > Error: Unspecified GSS failure. Minor code may provide
>>>>>> more
>>>>>> > > information (Ticket expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error:
>>>>>> could not
>>>>>> > > perform interactive bind for id [] mech [GSSAPI]: error -2
>>>>>> > (Local error)
>>>>>> > > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin -
>>>>>> > > agmt="cn=meTo1.abc.com <http://meTo1.abc.com>
>>>>>> > <http://meTo1.abc.com>" (central:389):
>>>>>> > > Replication bind with GSSAPI auth failed: LDAP error -2
>>>>>> (Local
>>>>>> > > error) (SASL(-1): generic failure: GSSAPI Error:
>>>>>> Unspecified GSS
>>>>>> > > failure. Minor code may provide more information (Ticket
>>>>>> > expired))
>>>>>> > > [30/Jun/2014:12:51:34 +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not perform interactive bind for id [] mech
>>>>>> [GSSAPI]:
>>>>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>>>>> GSSAPI
>>>>>> > > Error: Unspecified GSS failure. Minor code may provide
>>>>>> more
>>>>>> > > information (Ticket expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:35 +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not perform interactive bind for id [] mech
>>>>>> [GSSAPI]:
>>>>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>>>>> GSSAPI
>>>>>> > > Error: Unspecified GSS failure. Minor code may provide
>>>>>> more
>>>>>> > > information (Ticket expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error:
>>>>>> could not
>>>>>> > > perform interactive bind for id [] mech [GSSAPI]: error -2
>>>>>> > (Local error)
>>>>>> > > [30/Jun/2014:12:51:40 +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not perform interactive bind for id [] mech
>>>>>> [GSSAPI]:
>>>>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>>>>> GSSAPI
>>>>>> > > Error: Unspecified GSS failure. Minor code may provide
>>>>>> more
>>>>>> > > information (Ticket expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:40 +0800]
>>>>>> slapd_ldap_sasl_interactive_bind -
>>>>>> > > Error: could not perform interactive bind for id [] mech
>>>>>> [GSSAPI]:
>>>>>> > > LDAP error -2 (Local error) (SASL(-1): generic failure:
>>>>>> GSSAPI
>>>>>> > > Error: Unspecified GSS failure. Minor code may provide
>>>>>> more
>>>>>> > > information (Ticket expired)) errno 0 (Success)
>>>>>> > > [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error:
>>>>>> could not
>>>>>> > > perform interactive bind for id [] mech [GSSAPI]: error -2
>>>>>> > (Local error)
>>>>>> > >
>>>>>> > >
>>>>>> > > 2014-07-02 12:32 GMT+08:00 <barrykfl at gmail.com
>>>>>> > <mailto:barrykfl at gmail.com>
>>>>>> > > <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com
>>>>>> >>>:
>>>>>> > >
>>>>>> > > yes on node 1 it is happening only node2 fail connect
>>>>>> > >
>>>>>> > > ipa-replica-manage list 2.abc.com <http://2.abc.com>
>>>>>> > <http://2.abc.com>
>>>>>> > > Directory Manager password:
>>>>>> > >
>>>>>> > > 1.abc.com <http://1.abc.com> <http://1.abc.com>:
>>>>>> replica
>>>>>> > >
>>>>>> > >
>>>>>> > >
>>>>>> > > 2014-06-30 20:59 GMT+08:00 Rob Crittenden
>>>>>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>>>>> > > <mailto:rcritten at redhat.com <mailto:
>>>>>> rcritten at redhat.com>>>:
>>>>>> > >
>>>>>> > > Barry wrote:
>>>>>> > > > Hi:
>>>>>> > > >
>>>>>> > > > Server 1 and Sever 2 is cluster master master
>>>>>> > orginally ,
>>>>>> > > but server 2
>>>>>> > > > fail to connect server1 ,.
>>>>>> > > >
>>>>>> > > > ipa-replica-manage list shown Can't contact
>>>>>> LDAP server
>>>>>> > > >
>>>>>> > > > But as server1 it is ok master server1 master
>>>>>> server2 ,
>>>>>> > > >
>>>>>> > > > It seem affect if update on server 1 then it
>>>>>> syn to
>>>>>> > > server2 no problem
>>>>>> > > > but sometimes if modfy in server2 if fail to
>>>>>> update
>>>>>> > server1.
>>>>>> > > >
>>>>>> > > > Any idea to rebuild mutual relationship.?
>>>>>> > >
>>>>>> > > The first step is to diagnose what is wrong. I've
>>>>>> already
>>>>>> > > suggested a
>>>>>> > > few things,
>>>>>> > >
>>>>>> >
>>>>>> https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html
>>>>>> > >
>>>>>> > > rob
>>>>>> > >
>>>>>> > > --
>>>>>> > > Manage your subscription for the Freeipa-users
>>>>>> mailing
>>>>>> > list:
>>>>>> > >
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> > > Go To http://freeipa.org for more info on the
>>>>>> project
>>>>>> > >
>>>>>> > >
>>>>>> > >
>>>>>> > >
>>>>>> >
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140710/9fc74c1c/attachment.htm>
More information about the Freeipa-users
mailing list