[Freeipa-users] ipa-replica-manage list fail on server 2
Rob Crittenden
rcritten at redhat.com
Tue Jul 15 15:38:20 UTC 2014
barrykfl at gmail.com wrote:
> What it is meant ? u meant enable annoynomus access ? return back to 389 ?
> How to remove the can't connect LDAP server ?
I meant neither of those.
Watch the 389-ds access log when running ipa-replica-manage list
Find the connection, note the error, if any.
rob
>
>
> 2014-07-15 22:29 GMT+08:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>:
>
> Rich Megginson wrote:
> > On 07/14/2014 05:58 PM, barrykfl at gmail.com
> <mailto:barrykfl at gmail.com> wrote:
> >> kinit work , can input password
> >>
> >> any ipa command fail even ipa replica-manage status command >>"cant
> >> contact ldap server"
> >
> > Assuming that ldapsearch works, this sounds like the ipa command line
> > tool can't communicate with the httpd server? Any errors in
> > /var/log/httpd/error_log?
>
> ipa-replica-manage only uses direct LDAP (maybe a little GSSAPI for good
> measure).
>
> It also uses port 636 so at this point I suspect it is an SSL trust
> issue. If you watch the access log you should see the connection attempt
> and result.
>
> rob
>
> >
> >>
> >>
> >> 2014-07-15 0:03 GMT+08:00 Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> >> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>:
> >>
> >> On 07/13/2014 08:51 PM, barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>> wrote:
> >>> Hi:
> >>>
> >>> Only for the servers that are getting the "DB_LOCK_DEADLOCK:
> >>> Locker killed to resolve a deadlock" message in the errors log.
> >>>
> >>> > need restart ipactl service after modifcation?
> >>>
> >>> But this does not explain the "cant contact ldap server" errors.
> >>>
> >>> Which ipa commands give the "cant contact ldap server" errors?
> >>>
> >>> > server2.abc.com <http://server2.abc.com>
> <http://server2.abc.com> and command related
> >>> ipa shown can't contact ldap sver , log shown before.
> >>
> >> Does this mean that
> >> ipa user-find
> >> on server2.abc.com <http://server2.abc.com>
> <http://server2.abc.com> gives a "cant contact
> >> ldap server" error?
> >>
> >> Or is it only the ipa replica-manage status command that gives
> >> this error?
> >>
> >> If it is the former, does ldapsearch work? Does kinit work?
> >>
> >>>
> >>>
> >>> 2014-07-11 21:55 GMT+08:00 Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> >>> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>:
> >>>
> >>> On 07/11/2014 01:53 AM, barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >>> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> wrote:
> >>>> At server 2 there is a error:
> >>>>
> >>>>
> >>>> [10/Jul/2014:12:29:59 +0800] NSMMReplicationPlugin -
> >>>> agmt="cn=meToserver1.abc.com
> <http://meToserver1.abc.com> <http://meToserver1.abc.com>"
> >>>> (central:389): Replication bind with GSSAPI auth failed:
> >>>> LDAP error -2 (Local error) (SASL(-1): generic failure:
> >>>> GSSAPI Error: Unspecified GSS failure. Minor code may
> >>>> provide more information (Credentials cache file
> >>>> '/tmp/krb5cc_494' not found))
> >>>
> >>> This is usually a transient error that should go away.
> >>>
> >>>>
> >>>>
> >>>> 2014-07-11 10:26 GMT+08:00 <barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >>>> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>:
> >>>>
> >>>> Yes ,
> >>>> still get "cant contact ldap server" after upgrading
> >>>> both servers.
> >>>>
> >>>>
> >>>> 2014-07-10 23:18 GMT+08:00 Rich Megginson
> >>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>:
> >>>>
> >>>> On 07/10/2014 09:15 AM, barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >>>> <mailto:barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>> wrote:
> >>>>>
> >>>>> But any hint that server 2 say cant contact ldap
> >>>>> server if type ipa command?
> >>>>>
> >>>>
> >>>> Please keep replies on list.
> >>>>
> >>>> You still get "cant contact ldap server" after
> >>>> upgrading both servers?
> >>>>
> >>>>> 2014/7/10 下午10:25 於 "Rich Megginson"
> >>>>> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> >>>>> 寫道:
> >>>>>
> >>>>> On 07/10/2014 01:14 AM, barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >>>>> <mailto:barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>> wrote:
> >>>>>> Tried and now two version same ....but seem
> >>>>>> same situation.
> >>>>>>
> >>>>>> i found a related error log that server1 has
> >>>>>> account after added user but not
> replicated to
> >>>>>> server2. Is it too fast on UI clicking ? as i
> >>>>>> exp once that click very
> >>>>>> fast twice add and edit user may cause server
> >>>>>> 2 no record.
> >>>>>>
> >>>>>>
> >>>>>> [10/Jul/2014:14:20:01 +0800]
> >>>>>> NSMMReplicationPlugin - changelog program -
> >>>>>> _cl5WriteOperationTxn: retry (49) the
> >>>>>> transaction (csn=53be3097000000040000) failed
> >>>>>> (rc=-30994 (DB_LOCK_DEADLOCK: Locker
> killed to
> >>>>>> resolve a deadlock))
> >>>>>> [10/Jul/2014:14:20:01 +0800]
> >>>>>> NSMMReplicationPlugin - changelog program -
> >>>>>> _cl5WriteOperationTxn: failed to write entry
> >>>>>> with csn (53be3097000000040000); db error -
> >>>>>> -30994 DB_LOCK_DEADLOCK: Locker killed to
> >>>>>> resolve a deadlock
> >>>>>> [10/Jul/2014:14:20:01 +0800]
> >>>>>> NSMMReplicationPlugin -
> >>>>>> write_changelog_and_ruv: can't add a change
> >>>>>> for
> >>>>>>
> uid=xuehuimei,cn=users,cn=accounts,dc=abc,dc=com
> >>>>>> (uniqid: 1300de84-07fa11e4-b3ddf885-593f3a7a,
> >>>>>> optype: 16) to changelog csn
> 53be3097000000040000
> >>>>>> [10/Jul/2014:14:56:51 +0800]
> >>>>>> NSMMReplicationPlugin - changelog program -
> >>>>>> _cl5WriteOperationTxn: retry (49) the
> >>>>>> transaction (csn=53be3939000000040000) failed
> >>>>>> (rc=-30994 (DB_LOCK_DEADLOCK: Locker
> killed to
> >>>>>> resolve a deadlock))
> >>>>>> [10/Jul/2014:14:56:51 +0800]
> >>>>>> NSMMReplicationPlugin - changelog program -
> >>>>>> _cl5WriteOperationTxn: failed to write entry
> >>>>>> with csn (53be3939000000040000); db error -
> >>>>>> -30994 DB_LOCK_DEADLOCK: Locker killed to
> >>>>>> resolve a deadlock
> >>>>>> [10/Jul/2014:14:56:51 +0800]
> >>>>>> NSMMReplicationPlugin -
> >>>>>> write_changelog_and_ruv: can't add a change
> >>>>>> for
> >>>>>>
> uid=websubcon04,cn=users,cn=accounts,dc=abc,dc=com
> >>>>>> (uniqid: 3e39fc81-07ff11e4-b3ddf885-593f3a7a,
> >>>>>> optype: 16) to changelog csn
> 53be3939000000040000
> >>>>>
> >>>>> This looks like
> >>>>> https://fedorahosted.org/389/ticket/47409 and
> >>>>>
> https://bugzilla.redhat.com/show_bug.cgi?id=979169
> >>>>>
> >>>>> Cause: Under certain conditions, with a mix of
> >>>>> concurrent search and update and outgoing
> >>>>> replication operations, there will be
> deadlocks
> >>>>> in the changelog db, leading to error messages
> >>>>> like this:
> >>>>> NSMMReplicationPlugin - changelog program -
> >>>>> _cl5WriteOperationTxn: failed to write entry
> >>>>> with csn (XXXXXXX); db error - -30994
> >>>>> DB_LOCK_DEADLOCK: Locker killed to resolve a
> >>>>> deadlock
> >>>>> This is caused by a deadlock between the
> >>>>> changelog readers, writers, and main database
> >>>>> writers.
> >>>>>
> >>>>> Consequence: Update operations will fail with
> >>>>> the above error message in the directory
> server
> >>>>> errors log.
> >>>>>
> >>>>> Fix: A new configuration parameter is
> introduced:
> >>>>> dn: cn=config,cn=ldbm
> database,cn=plugins,cn=config
> >>>>> nsslapd-db-deadlock-policy: 9
> >>>>>
> >>>>> With the default policy 9 (DB_LOCK_YOUNGEST),
> >>>>> the last locker gets killed when there is a
> >>>>> deadlock. In the case that this is the
> >>>>> changelog writer, the write will fail, and the
> >>>>> entire update will fail.
> >>>>>
> >>>>> Users who frequently see the above errors in
> >>>>> the errors log are advised to change this
> >>>>> setting to 6 (DB_LOCK_MINWRITE) will which
> >>>>> instead kill the locker that has the fewest
> >>>>> write locks (that is, the changelog reader).
> >>>>> The changelog reader code has been changed to
> >>>>> handle this deadlock condition and retry. The
> >>>>> setting can be changed like this:
> >>>>>
> >>>>> ldapmodify -x -D "cn=directory manager" -W
> <<EOF
> >>>>> dn: cn=config,cn=ldbm
> database,cn=plugins,cn=config
> >>>>> changetype: modify
> >>>>> replace: nsslapd-db-deadlock-policy
> >>>>> nsslapd-db-deadlock-policy: 6
> >>>>> EOF
> >>>>>
> >>>>> You may ask why the default is not changed to
> >>>>> 6. The answer is that the setting will apply
> >>>>> to _all_ threads, so that changing this
> setting
> >>>>> could cause regular search requests to
> fail, if
> >>>>> the directory server is under a heavy update
> >>>>> load. In our testing, we did not see this
> >>>>> happen, but we cannot guarantee that changing
> >>>>> this value to 6 will not impact regular search
> >>>>> requests.
> >>>>>
> >>>>> Result: After changing
> >>>>> nsslapd-db-deadlock-policy to 6, updates will
> >>>>> succeed and no longer cause errors like
> the above.
> >>>>>
> >>>>>
> >>>>>>
> >>>>>>
> >>>>>> 2014-07-10 10:40 GMT+08:00 Rich Megginson
> >>>>>> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> >>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>:
> >>>>>>
> >>>>>> On 07/09/2014 08:36 PM,
> barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>> <mailto:barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>> wrote:
> >>>>>>> Hi :
> >>>>>>>
> >>>>>>> What is the procedure for this minor
> update ?
> >>>>>>>
> >>>>>>> just yum update ipa-server after
> stop the
> >>>>>>> server?
> >>>>>>
> >>>>>> If you just want to upgrade only the LDAP
> >>>>>> server, which is the component that I for
> >>>>>> sure know is out of date, then yum update
> >>>>>> 389-ds-base.
> >>>>>>
> >>>>>> Or just "yum update" - in general I don't
> >>>>>> like running "franken-systems" which have
> >>>>>> a mix of up-to-date and out of date
> >>>>>> packages. Note that "IPA server" is
> >>>>>> composed of several packages.
> >>>>>>
> >>>>>> You do not need to stop the server.
> >>>>>> yum/rpm upgrade will restart as needed.
> >>>>>> If you want to make sure, do ipactl
> >>>>>> restart after upgrade.
> >>>>>>
> >>>>>>
> >>>>>>> and effect of the exsitn ldap?
> >>>>>>
> >>>>>> Not sure what you mean. Upgrade should
> >>>>>> not touch any config or data.
> >>>>>>
> >>>>>>
> >>>>>>>
> >>>>>>> As the server 2 is master of replica
> also
> >>>>>>> , so need refo ipa-replica install ?
> >>>>>>
> >>>>>> No, you just need to perform the same
> >>>>>> upgrade procedure.
> >>>>>>
> >>>>>>
> >>>>>>>
> >>>>>>> barry
> >>>>>>>
> >>>>>>>
> >>>>>>> 2014-07-09 22:20 GMT+08:00 Rich
> Megginson
> >>>>>>> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> >>>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>:
> >>>>>>>
> >>>>>>> On 07/08/2014 09:02 PM,
> >>>>>>> barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >>>>>>> <mailto:barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>> wrote:
> >>>>>>>> Some error i found :
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> server1.abc.com:636
> <http://server1.abc.com:636>
> >>>>>>>> <http://server1.abc.com:636>
> >>>>>>>> (/etc/dirsrv/slapd-abc-COM)
> >>>>>>>>
> >>>>>>>> [29/Jun/2014:02:00:56 +0800] -
> >>>>>>>> 389-Directory/1.2.11.25
> <http://1.2.11.25>
> >>>>>>>> <http://1.2.11.25> B2013.325.1951
> >>>>>>>> starting up
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]
> >>>>>>>> attrcrypt - attrcrypt_unwrap_key:
> >>>>>>>> failed to unwrap key for cipher AES
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]
> >>>>>>>> attrcrypt - attrcrypt_cipher_init:
> >>>>>>>> symmetric key failed to unwrap with
> >>>>>>>> the private key; Cert might have
> >>>>>>>> been renewed since the key is
> >>>>>>>> wrapped. To recover the encrypted
> >>>>>>>> contents, keep the wrapped
> symmetric
> >>>>>>>> key value.
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]
> >>>>>>>> attrcrypt - attrcrypt_unwrap_key:
> >>>>>>>> failed to unwrap key for cipher
> 3DES
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]
> >>>>>>>> attrcrypt - attrcrypt_cipher_init:
> >>>>>>>> symmetric key failed to unwrap with
> >>>>>>>> the private key; Cert might have
> >>>>>>>> been renewed since the key is
> >>>>>>>> wrapped. To recover the encrypted
> >>>>>>>> contents, keep the wrapped
> symmetric
> >>>>>>>> key value.
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]
> >>>>>>>> attrcrypt - All prepared
> ciphers are
> >>>>>>>> not available. Please disable
> >>>>>>>> attribute encryption.
> >>>>>>>> [29/Jun/2014:02:00:56 +0800]
> >>>>>>>> schema-compat-plugin - warning: no
> >>>>>>>> entries set up under cn=computers,
> >>>>>>>> cn=compat,dc=abc,dc=com
> >>>>>>>> [29/Jun/2014:02:00:57 +0800]
> >>>>>>>> schema-compat-plugin - warning: no
> >>>>>>>> entries set up under cn=ng,
> >>>>>>>> cn=compat,dc=abc,dc=com
> >>>>>>>> [29/Jun/2014:02:00:57 +0800]
> >>>>>>>> schema-compat-plugin - warning: no
> >>>>>>>> entries set up under
> >>>>>>>> ou=sudoers,dc=abc,dc=com
> >>>>>>>> [29/Jun/2014:02:00:57 +0800] -
> >>>>>>>> Skipping CoS Definition cn=Password
> >>>>>>>>
> Policy,cn=accounts,dc=abc,dc=com--no
> >>>>>>>> CoS Templates found, which
> should be
> >>>>>>>> added before the CoS Definition.
> >>>>>>>> [29/Jun/2014:02:00:57 +0800]
> >>>>>>>> set_krb5_creds - Could not get
> >>>>>>>> initial credentials for principal
> >>>>>>>> [ldap/server1.abc.com at abc.COM
> >>>>>>>> <mailto:ldap
> <mailto:ldap>/server1.abc.com at abc.COM>]
> >>>>>>>> in keytab
> >>>>>>>> [FILE:/etc/dirsrv/ds.keytab]:
> >>>>>>>> -1765328228 (Cannot contact any KDC
> >>>>>>>> for requested realm)
> >>>>>>>> [29/Jun/2014:02:00:58 +0800] -
> >>>>>>>> Skipping CoS Definition cn=Password
> >>>>>>>>
> Policy,cn=accounts,dc=abc,dc=com--no
> >>>>>>>> CoS Templates found, which
> should be
> >>>>>>>> added before the CoS Definition.
> >>>>>>>> [29/Jun/2014:02:00:58 +0800]
> >>>>>>>> slapd_ldap_sasl_interactive_bind -
> >>>>>>>> Error: could not perform
> interactive
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP
> >>>>>>>> error -2 (Local error) (SASL(-1):
> >>>>>>>> generic failure: GSSAPI Error:
> >>>>>>>> Unspecified GSS failure. Minor
> code
> >>>>>>>> may provide more information
> >>>>>>>> (Credentials cache file
> >>>>>>>> '/tmp/krb5cc_492' not found)) errno
> >>>>>>>> 0 (Success)
> >>>>>>>> [29/Jun/2014:02:00:58 +0800]
> >>>>>>>> slapi_ldap_bind - Error: could not
> >>>>>>>> perform interactive bind for id []
> >>>>>>>> mech [GSSAPI]: error -2 (Local
> error)
> >>>>>>>> [29/Jun/2014:02:00:58 +0800]
> >>>>>>>> NSMMReplicationPlugin -
> >>>>>>>> agmt="cn=meToserver2.abc.com
> <http://meToserver2.abc.com>
> >>>>>>>> <http://meToserver2.abc.com>"
> >>>>>>>> (server2:389): Replication bind
> with
> >>>>>>>> GSSAPI auth failed: LDAP error -2
> >>>>>>>> (Local error) (SASL(-1): generic
> >>>>>>>> failure: GSSAPI Error: Unspecified
> >>>>>>>> GSS failure. Minor code may
> provide
> >>>>>>>> more information (Credentials cache
> >>>>>>>> file '/tmp/krb5cc_492' not found))
> >>>>>>>> [29/Jun/2014:02:00:58 +0800] -
> slapd
> >>>>>>>> started. Listening on All
> >>>>>>>> Interfaces port 389 for LDAP
> requests
> >>>>>>>> [29/Jun/2014:02:00:58 +0800] -
> >>>>>>>> Listening on All Interfaces
> port 636
> >>>>>>>> for LDAPS requests
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> 389-Directory/1.2.11.15
> <http://1.2.11.15>
> >>>>>>>> <http://1.2.11.15> B2013.240.174
> >>>>>>>> server2.abc.com:636
> <http://server2.abc.com:636>
> >>>>>>>> <http://server2.abc.com:636>
> >>>>>>>> (/etc/dirsrv/slapd-abc-COM)
> >>>>>>>>
> >>>>>>>> [30/Jun/2014:12:51:31 +0800]
> >>>>>>>> slapd_ldap_sasl_interactive_bind -
> >>>>>>>> Error: could not perform
> interactive
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP
> >>>>>>>> error -2 (Local error) (SASL(-1):
> >>>>>>>> generic failure: GSSAPI Error:
> >>>>>>>> Unspecified GSS failure. Minor
> code
> >>>>>>>> may provide more information
> (Ticket
> >>>>>>>> expired)) errno 0 (Success)
> >>>>>>>> [30/Jun/2014:12:51:31 +0800]
> >>>>>>>> slapd_ldap_sasl_interactive_bind -
> >>>>>>>> Error: could not perform
> interactive
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP
> >>>>>>>> error -2 (Local error) (SASL(-1):
> >>>>>>>> generic failure: GSSAPI Error:
> >>>>>>>> Unspecified GSS failure. Minor
> code
> >>>>>>>> may provide more information
> (Ticket
> >>>>>>>> expired)) errno 0 (Success)
> >>>>>>>> [30/Jun/2014:12:51:31 +0800]
> >>>>>>>> slapi_ldap_bind - Error: could not
> >>>>>>>> perform interactive bind for id []
> >>>>>>>> mech [GSSAPI]: error -2 (Local
> error)
> >>>>>>>> [30/Jun/2014:12:51:31 +0800]
> >>>>>>>> NSMMReplicationPlugin -
> >>>>>>>> agmt="cn=meToserver1.abc.com
> <http://meToserver1.abc.com>
> >>>>>>>> <http://meToserver1.abc.com>"
> >>>>>>>> (server1:389): Replication bind
> with
> >>>>>>>> GSSAPI auth failed: LDAP error -2
> >>>>>>>> (Local error) (SASL(-1): generic
> >>>>>>>> failure: GSSAPI Error: Unspecified
> >>>>>>>> GSS failure. Minor code may
> provide
> >>>>>>>> more information (Ticket expired))
> >>>>>>>> [30/Jun/2014:12:51:34 +0800]
> >>>>>>>> slapd_ldap_sasl_interactive_bind -
> >>>>>>>> Error: could not perform
> interactive
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP
> >>>>>>>> error -2 (Local error) (SASL(-1):
> >>>>>>>> generic failure: GSSAPI Error:
> >>>>>>>> Unspecified GSS failure. Minor
> code
> >>>>>>>> may provide more information
> (Ticket
> >>>>>>>> expired)) errno 0 (Success)
> >>>>>>>> [30/Jun/2014:12:51:35 +0800]
> >>>>>>>> slapd_ldap_sasl_interactive_bind -
> >>>>>>>> Error: could not perform
> interactive
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP
> >>>>>>>> error -2 (Local error) (SASL(-1):
> >>>>>>>> generic failure: GSSAPI Error:
> >>>>>>>> Unspecified GSS failure. Minor
> code
> >>>>>>>> may provide more information
> (Ticket
> >>>>>>>> expired)) errno 0 (Success)
> >>>>>>>> [30/Jun/2014:12:51:35 +0800]
> >>>>>>>> slapi_ldap_bind - Error: could not
> >>>>>>>> perform interactive bind for id []
> >>>>>>>> mech [GSSAPI]: error -2 (Local
> error)
> >>>>>>>> [30/Jun/2014:12:51:40 +0800]
> >>>>>>>> slapd_ldap_sasl_interactive_bind -
> >>>>>>>> Error: could not perform
> interactive
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP
> >>>>>>>> error -2 (Local error) (SASL(-1):
> >>>>>>>> generic failure: GSSAPI Error:
> >>>>>>>> Unspecified GSS failure. Minor
> code
> >>>>>>>> may provide more information
> (Ticket
> >>>>>>>> expired)) errno 0 (Success)
> >>>>>>>> [30/Jun/2014:12:51:40 +0800]
> >>>>>>>> slapd_ldap_sasl_interactive_bind -
> >>>>>>>> Error: could not perform
> interactive
> >>>>>>>> bind for id [] mech [GSSAPI]: LDAP
> >>>>>>>> error -2 (Local error) (SASL(-1):
> >>>>>>>> generic failure: GSSAPI Error:
> >>>>>>>> Unspecified GSS failure. Minor
> code
> >>>>>>>> may provide more information
> (Ticket
> >>>>>>>> expired)) errno 0 (Success)
> >>>>>>>> [30/Jun/2014:12:51:40 +0800]
> >>>>>>>> slapi_ldap_bind - Error: could not
> >>>>>>>> perform interactive bind for id []
> >>>>>>>> mech [GSSAPI]: error -2 (Local
> error)
> >>>>>>>> [30/Jun/2014:12:51:52 +0800]
> >>>>>>>> NSMMReplicationPlugin -
> >>>>>>>> agmt="cn=meToserver1.abc.com
> <http://meToserver1.abc.com>
> >>>>>>>> <http://meToserver1.abc.com>"
> >>>>>>>> (server1:389): Replication bind
> with
> >>>>>>>> GSSAPI auth resumed
> >>>>>>>>
> >>>>>>>
> >>>>>>> You are using an older version of
> >>>>>>> 389. The version on server2 is
> older
> >>>>>>> than the version on server1.
> Can you
> >>>>>>> upgrade and see if that fixes your
> >>>>>>> problems? Even if it doesn't fix
> >>>>>>> your problems, it will be much
> easier
> >>>>>>> for us to support.
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>>>>> 2014-07-09 10:55 GMT+08:00
> >>>>>>>> <barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >>>>>>>> <mailto:barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>>>:
> >>>>>>>>
> >>>>>>>> FYI..
> >>>>>>>> 160: [04/Jul/2014:12:35:30
> >>>>>>>> +0800] conn=936207 fd=73
> slot=73
> >>>>>>>> connection from 192.168.156.89
> >>>>>>>> to 192.168.156.89
> >>>>>>>> 163: [04/Jul/2014:12:35:30
> >>>>>>>> +0800] conn=936207 op=-1 fd=73
> >>>>>>>> closed - B1
> >>>>>>>>
> >>>>>>>> There is not abt binding but i
> >>>>>>>> unsure how to fix ..
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> 2014-07-09 2:01 GMT+08:00 Rich
> >>>>>>>> Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> >>>>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>:
> >>>>>>>>
> >>>>>>>> On 07/08/2014 02:16 AM,
> >>>>>>>> barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >>>>>>>> wrote:
> >>>>>>>>> Resent as size limit.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Here u are server1 's
> >>>>>>>>> access log seem one
> side broken
> >>>>>>>>>
> >>>>>>>>> the problem is how to make
> >>>>>>>>> it replicate again.
> >>>>>>>>>
> >>>>>>>>> At server 1
> >>>>>>>>>
> >>>>>>>>> it is ok master server1
> >>>>>>>>> master server2
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Another side server 2
> >>>>>>>>> contains 2 ip replication.
> >>>>>>>>>
> >>>>>>>>> ipa-replica-manage list
> >>>>>>>>> shown Can't contact
> LDAP server
> >>>>>>>>>
> >>>>>>>>> I dont know why but the
> >>>>>>>>> prolematic server is sever
> >>>>>>>>> 2 not server 1
> >>>>>>>>>
> >>>>>>>>> log of server2
> >>>>>>>>> [08/Jul/2014:16:02:40
> >>>>>>>>> +0800] conn=3299731 fd=69
> >>>>>>>>> slot=69 connection from
> >>>>>>>>> 192.168.15.89 (server1) to
> >>>>>>>>> 192.168.15.88(server2)
> >>>>>>>>> [08/Jul/2014:16:02:40
> >>>>>>>>> +0800] conn=3299731 op=-1
> >>>>>>>>> fd=69 closed - B1
> >>>>>>>>> [08/Jul/2014:16:02:40
> >>>>>>>>> +0800] conn=3299732 fd=69
> >>>>>>>>> slot=69 connection from
> >>>>>>>>> 192.168.15.89 to
> 192.168.15.88
> >>>>>>>>> [08/Jul/2014:16:02:40
> >>>>>>>>> +0800] conn=3299732 op=-1
> >>>>>>>>> fd=69 closed - B1
> >>>>>>>>> [08/Jul/2014:16:02:41
> >>>>>>>>> +0800] conn=3299733 fd=69
> >>>>>>>>> slot=69 connection from
> >>>>>>>>> 192.168.15.89 to
> 192.168.15.88
> >>>>>>>>> [08/Jul/2014:16:02:41
> >>>>>>>>> +0800] conn=3299733 op=-1
> >>>>>>>>> fd=69 closed - B1
> >>>>>>>>
> >>>>>>>> You never answered my
> >>>>>>>> question below. "Are you
> >>>>>>>> sure that this
> connection is
> >>>>>>>> a replication session? Can
> >>>>>>>> you post all of the
> >>>>>>>> operations from the access
> >>>>>>>> log from conn=936207?"
> >>>>>>>>
> >>>>>>>> In the future, please avoid
> >>>>>>>> spamming the list with
> large
> >>>>>>>> log files. In general,
> it's
> >>>>>>>> better to provide excerpts
> >>>>>>>> from the log files showing
> >>>>>>>> the problem, paste them to
> >>>>>>>> fpaste.org
> <http://fpaste.org>
> >>>>>>>> <http://fpaste.org>, and
> >>>>>>>> post the link to the
> mailing
> >>>>>>>> list. If for some reason
> >>>>>>>> you need to post a large
> >>>>>>>> file, please use a file
> >>>>>>>> sharing service and
> post the
> >>>>>>>> link to the file.
> >>>>>>>>
> >>>>>>>> Can you take a look at your
> >>>>>>>> errors log from server
> 1 and
> >>>>>>>> server 2 and see if there
> >>>>>>>> are any relevant errors?
> >>>>>>>>
> >>>>>>>> If I had to guess, I would
> >>>>>>>> say that there is some sort
> >>>>>>>> of network error between
> >>>>>>>> server 1 and server 2 that
> >>>>>>>> causes the excessive closed
> >>>>>>>> - B1. Perhaps there
> will be
> >>>>>>>> more information in the
> >>>>>>>> errors log.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> 2014-07-07 22:21 GMT+08:00
> >>>>>>>>> Rich Megginson
> >>>>>>>>> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> >>>>>>>>>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>:
> >>>>>>>>>
> >>>>>>>>> On 07/04/2014
> 03:28 AM,
> >>>>>>>>> barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >>>>>>>>> wrote:
> >>>>>>>>>> FOUND something
> >>>>>>>>>> strange that server 1
> >>>>>>>>>> replicate to itself
> >>>>>>>>>> rather than server2
> >>>>>>>>>>
> >>>>>>>>>> Server1 access
> log > Wrong
> >>>>>>>>>> [04/Jul/2014:12:35:30
> >>>>>>>>>> +0800] conn=936207
> >>>>>>>>>> fd=73 slot=73
> >>>>>>>>>> connection from
> >>>>>>>>>> 192.168.15.89(
> server1
> >>>>>>>>>> ) to 192.168.15.89
> >>>>>>>>>> (server1)
> >>>>>>>>>
> >>>>>>>>> Are you sure that this
> >>>>>>>>> connection is a
> >>>>>>>>> replication session?
> >>>>>>>>> Can you post all
> of the
> >>>>>>>>> operations from the
> >>>>>>>>> access log from
> >>>>>>>>> conn=936207?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Server 2 access
> log > OK
> >>>>>>>>>> [04/Jul/2014:12:35:30
> >>>>>>>>>> +0800] conn=936208
> >>>>>>>>>> fd=74 slot=74
> >>>>>>>>>> connection from
> >>>>>>>>>>
> 192.168.15.89(server2)
> >>>>>>>>>> to 192.168.15.88
> (server2)
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> 2014-07-04 9:25
> >>>>>>>>>> GMT+08:00
> >>>>>>>>>>
> <barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>:
> >>>>>>>>>>
> >>>>>>>>>> Just sure now one
> >>>>>>>>>> side flow is
> >>>>>>>>>> broken, if u
> >>>>>>>>>> update server1 ,
> >>>>>>>>>> it 100% work
> >>>>>>>>>> server2 will
> upgrade.
> >>>>>>>>>> but if u update
> >>>>>>>>>> server2 there is
> >>>>>>>>>> chance
> non-syn e.g
> >>>>>>>>>> it create
> username
> >>>>>>>>>> in server1 with
> >>>>>>>>>> posfix grp >ok
> >>>>>>>>>> but in server2 it
> >>>>>>>>>> only created
> >>>>>>>>>> posfix grp but no
> >>>>>>>>>> username
> >>>>>>>>>> /attribute it
> >>>>>>>>>> occur serveral
> >>>>>>>>>> times. I have to
> >>>>>>>>>> use command line
> >>>>>>>>>> grp del
> ...etc. to
> >>>>>>>>>> force del
> them and
> >>>>>>>>>> recreate them.,.
> >>>>>>>>>>
> >>>>>>>>>> Result below:
> >>>>>>>>>>
> >>>>>>>>>>
> server2.abc.com <http://server2.abc.com>
> >>>>>>>>>>
> <http://server2.abc.com>:
> >>>>>>>>>> replica
> >>>>>>>>>> last init
> >>>>>>>>>> status: None
> >>>>>>>>>> last init
> ended:
> >>>>>>>>>> None
> >>>>>>>>>> last update
> >>>>>>>>>> status: 0 Replica
> >>>>>>>>>> acquired
> >>>>>>>>>> successfully:
> >>>>>>>>>> Incremental
> update
> >>>>>>>>>> succeeded
> >>>>>>>>>> last update
> >>>>>>>>>> ended: 2014-07-04
> >>>>>>>>>> 00:33:18+00:00
> >>>>>>>>>>
> >>>>>>>>>> Directory Manager
> >>>>>>>>>> password:
> >>>>>>>>>>
> >>>>>>>>>>
> server1.abc.com <http://server1.abc.com>
> >>>>>>>>>>
> <http://server1.abc.com>:
> >>>>>>>>>> replica
> >>>>>>>>>> last init
> >>>>>>>>>> status: 0 Total
> >>>>>>>>>> update succeeded
> >>>>>>>>>> last init
> ended:
> >>>>>>>>>> 2014-06-20
> >>>>>>>>>> 10:07:02+00:00
> >>>>>>>>>> last update
> >>>>>>>>>> status: 0 Replica
> >>>>>>>>>> acquired
> >>>>>>>>>> successfully:
> >>>>>>>>>> Incremental
> update
> >>>>>>>>>> succeeded
> >>>>>>>>>> last update
> >>>>>>>>>> ended: 2014-07-04
> >>>>>>>>>> 01:14:19+00:00
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> [root@(LIVE)server2 ~]$
> >>>>>>>>>> ipactl status
> >>>>>>>>>> Directory
> Service:
> >>>>>>>>>> RUNNING
> >>>>>>>>>> KDC Service:
> RUNNING
> >>>>>>>>>> KPASSWD Service:
> >>>>>>>>>> RUNNING
> >>>>>>>>>> MEMCACHE Service:
> >>>>>>>>>> RUNNING
> >>>>>>>>>> HTTP Service:
> RUNNING
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> 2014-07-04 1:34
> >>>>>>>>>> GMT+08:00 Rob
> >>>>>>>>>> Crittenden
> >>>>>>>>>>
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >>>>>>>>>> wrote:
> >>>>>>>>>> > Yes
> they are
> >>>>>>>>>> running.
> >>>>>>>>>> Server 1 can
> >>>>>>>>>> syn to
> server2
> >>>>>>>>>> but error at
> >>>>>>>>>> server 2
> >>>>>>>>>> > like this.
> >>>>>>>>>>
> >>>>>>>>>> How do you
> >>>>>>>>>> know server 1
> >>>>>>>>>> is syncing
> >>>>>>>>>> with
> server 2?
> >>>>>>>>>>
> >>>>>>>>>> On server 1
> >>>>>>>>>> I'd run:
> >>>>>>>>>>
> >>>>>>>>>>
> ipa-replica-manage
> >>>>>>>>>> list -v
> `hostname`
> >>>>>>>>>>
> >>>>>>>>>> This will
> show
> >>>>>>>>>> the
> >>>>>>>>>> replication
> >>>>>>>>>> status.
> >>>>>>>>>>
> >>>>>>>>>> And what does
> >>>>>>>>>> ipactl status
> >>>>>>>>>> show on
> server 2?
> >>>>>>>>>>
> >>>>>>>>>> rob
> >>>>>>>>>>
> >>>>>>>>>> >
> >>>>>>>>>> > 2014/7/3 下
> >>>>>>>>>> 午10:14 於
> >>>>>>>>>> "Rob
> >>>>>>>>>> Crittenden"
> >>>>>>>>>>
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> >>>>>>>>>> >
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>>
> >>>>>>>>>> 寫道:
> >>>>>>>>>> >
> >>>>>>>>>> > Please
> >>>>>>>>>> keep
> relies on
> >>>>>>>>>> the list.
> >>>>>>>>>> >
> >>>>>>>>>> >
> >>>>>>>>>>
> barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>
> >>>>>>>>>> wrote:
> >>>>>>>>>> > > I saw
> >>>>>>>>>> the error
> >>>>>>>>>> beloe and
> >>>>>>>>>> errpr log is
> >>>>>>>>>> it related ?
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>>
> 29/Jun/2014:02:00:58
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapd_ldap_sasl_interactive_bind
> >>>>>>>>>> - Error:
> >>>>>>>>>> > > could
> >>>>>>>>>> not perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> LDAP error
> >>>>>>>>>> > > -2
> >>>>>>>>>> (Local error)
> >>>>>>>>>> (SASL(-1):
> >>>>>>>>>> generic
> >>>>>>>>>> failure:
> >>>>>>>>>> GSSAPI Error:
> >>>>>>>>>> Unspecified
> >>>>>>>>>> > > GSS
> >>>>>>>>>> failure.
> >>>>>>>>>> Minor code
> >>>>>>>>>> may provide
> >>>>>>>>>> more
> >>>>>>>>>> information
> >>>>>>>>>> (Credentials
> >>>>>>>>>> > cache
> >>>>>>>>>> > > file
> >>>>>>>>>>
> '/tmp/krb5cc_492'
> >>>>>>>>>> not found))
> >>>>>>>>>> errno 0
> (Success)
> >>>>>>>>>> > >
> >>>>>>>>>>
> [29/Jun/2014:02:00:58
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapi_ldap_bind -
> >>>>>>>>>> Error:
> could not
> >>>>>>>>>> > perform
> >>>>>>>>>> > >
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> error -2
> >>>>>>>>>> (Local error)
> >>>>>>>>>> >
> >>>>>>>>>> > I
> >>>>>>>>>> believe this
> >>>>>>>>>> is fairly
> >>>>>>>>>> normal on a
> >>>>>>>>>> new startup.
> >>>>>>>>>> It has to
> start
> >>>>>>>>>> >
> >>>>>>>>>>
> somewhere. The
> >>>>>>>>>> expired
> ticket
> >>>>>>>>>> errors below
> >>>>>>>>>> are
> unexpected
> >>>>>>>>>> since there
> >>>>>>>>>> > are so
> >>>>>>>>>> many of them.
> >>>>>>>>>> Is your KDC
> >>>>>>>>>> running?
> >>>>>>>>>> >
> >>>>>>>>>> > ipactl
> >>>>>>>>>> status
> >>>>>>>>>> >
> >>>>>>>>>> > rob
> >>>>>>>>>> >
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> 2014-07-02
> >>>>>>>>>> 14:15
> >>>>>>>>>> GMT+08:00
> >>>>>>>>>>
> <barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >>>>>>>>>> >
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >>>>>>>>>> >
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>>>:
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> this is the
> >>>>>>>>>> error log i
> >>>>>>>>>> found at
> >>>>>>>>>> 2.abc.com
> <http://2.abc.com>
> >>>>>>>>>>
> <http://2.abc.com>
> >>>>>>>>>>
> <http://2.abc.com>
> >>>>>>>>>> >
> >>>>>>>>>>
> <http://2.abc.com>
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:31
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapd_ldap_sasl_interactive_bind
> >>>>>>>>>> -
> >>>>>>>>>> > >
> >>>>>>>>>> Error: could
> >>>>>>>>>> not perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> > >
> >>>>>>>>>> LDAP error -2
> >>>>>>>>>> (Local error)
> >>>>>>>>>> (SASL(-1):
> >>>>>>>>>> generic
> >>>>>>>>>> failure:
> GSSAPI
> >>>>>>>>>> > >
> >>>>>>>>>> Error:
> >>>>>>>>>> Unspecified
> >>>>>>>>>> GSS failure.
> >>>>>>>>>> Minor code
> >>>>>>>>>> may
> provide more
> >>>>>>>>>> > >
> >>>>>>>>>> information
> >>>>>>>>>> (Ticket
> >>>>>>>>>> expired))
> >>>>>>>>>> errno 0
> (Success)
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:31
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapd_ldap_sasl_interactive_bind
> >>>>>>>>>> -
> >>>>>>>>>> > >
> >>>>>>>>>> Error: could
> >>>>>>>>>> not perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> > >
> >>>>>>>>>> LDAP error -2
> >>>>>>>>>> (Local error)
> >>>>>>>>>> (SASL(-1):
> >>>>>>>>>> generic
> >>>>>>>>>> failure:
> GSSAPI
> >>>>>>>>>> > >
> >>>>>>>>>> Error:
> >>>>>>>>>> Unspecified
> >>>>>>>>>> GSS failure.
> >>>>>>>>>> Minor code
> >>>>>>>>>> may
> provide more
> >>>>>>>>>> > >
> >>>>>>>>>> information
> >>>>>>>>>> (Ticket
> >>>>>>>>>> expired))
> >>>>>>>>>> errno 0
> (Success)
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:31
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapi_ldap_bind -
> >>>>>>>>>> Error:
> could not
> >>>>>>>>>> > >
> >>>>>>>>>> perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> error -2
> >>>>>>>>>> > (Local
> >>>>>>>>>> error)
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:31
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> NSMMReplicationPlugin
> >>>>>>>>>> -
> >>>>>>>>>> > >
> >>>>>>>>>>
> agmt="cn=meTo1.abc.com <http://meTo1.abc.com>
> >>>>>>>>>>
> <http://meTo1.abc.com>
> >>>>>>>>>>
> <http://meTo1.abc.com>
> >>>>>>>>>> >
> >>>>>>>>>>
> <http://meTo1.abc.com>"
> >>>>>>>>>>
> (central:389):
> >>>>>>>>>> > >
> >>>>>>>>>> Replication
> >>>>>>>>>> bind with
> >>>>>>>>>> GSSAPI auth
> >>>>>>>>>> failed: LDAP
> >>>>>>>>>> error -2
> (Local
> >>>>>>>>>> > >
> >>>>>>>>>> error)
> >>>>>>>>>> (SASL(-1):
> >>>>>>>>>> generic
> >>>>>>>>>> failure:
> >>>>>>>>>> GSSAPI Error:
> >>>>>>>>>>
> Unspecified GSS
> >>>>>>>>>> > >
> >>>>>>>>>> failure.
> >>>>>>>>>> Minor code
> >>>>>>>>>> may provide
> >>>>>>>>>> more
> >>>>>>>>>> information
> >>>>>>>>>> (Ticket
> >>>>>>>>>> >
> expired))
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:34
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapd_ldap_sasl_interactive_bind
> >>>>>>>>>> -
> >>>>>>>>>> > >
> >>>>>>>>>> Error: could
> >>>>>>>>>> not perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> > >
> >>>>>>>>>> LDAP error -2
> >>>>>>>>>> (Local error)
> >>>>>>>>>> (SASL(-1):
> >>>>>>>>>> generic
> >>>>>>>>>> failure:
> GSSAPI
> >>>>>>>>>> > >
> >>>>>>>>>> Error:
> >>>>>>>>>> Unspecified
> >>>>>>>>>> GSS failure.
> >>>>>>>>>> Minor code
> >>>>>>>>>> may
> provide more
> >>>>>>>>>> > >
> >>>>>>>>>> information
> >>>>>>>>>> (Ticket
> >>>>>>>>>> expired))
> >>>>>>>>>> errno 0
> (Success)
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:35
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapd_ldap_sasl_interactive_bind
> >>>>>>>>>> -
> >>>>>>>>>> > >
> >>>>>>>>>> Error: could
> >>>>>>>>>> not perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> > >
> >>>>>>>>>> LDAP error -2
> >>>>>>>>>> (Local error)
> >>>>>>>>>> (SASL(-1):
> >>>>>>>>>> generic
> >>>>>>>>>> failure:
> GSSAPI
> >>>>>>>>>> > >
> >>>>>>>>>> Error:
> >>>>>>>>>> Unspecified
> >>>>>>>>>> GSS failure.
> >>>>>>>>>> Minor code
> >>>>>>>>>> may
> provide more
> >>>>>>>>>> > >
> >>>>>>>>>> information
> >>>>>>>>>> (Ticket
> >>>>>>>>>> expired))
> >>>>>>>>>> errno 0
> (Success)
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:35
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapi_ldap_bind -
> >>>>>>>>>> Error:
> could not
> >>>>>>>>>> > >
> >>>>>>>>>> perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> error -2
> >>>>>>>>>> > (Local
> >>>>>>>>>> error)
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:40
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapd_ldap_sasl_interactive_bind
> >>>>>>>>>> -
> >>>>>>>>>> > >
> >>>>>>>>>> Error: could
> >>>>>>>>>> not perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> > >
> >>>>>>>>>> LDAP error -2
> >>>>>>>>>> (Local error)
> >>>>>>>>>> (SASL(-1):
> >>>>>>>>>> generic
> >>>>>>>>>> failure:
> GSSAPI
> >>>>>>>>>> > >
> >>>>>>>>>> Error:
> >>>>>>>>>> Unspecified
> >>>>>>>>>> GSS failure.
> >>>>>>>>>> Minor code
> >>>>>>>>>> may
> provide more
> >>>>>>>>>> > >
> >>>>>>>>>> information
> >>>>>>>>>> (Ticket
> >>>>>>>>>> expired))
> >>>>>>>>>> errno 0
> (Success)
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:40
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapd_ldap_sasl_interactive_bind
> >>>>>>>>>> -
> >>>>>>>>>> > >
> >>>>>>>>>> Error: could
> >>>>>>>>>> not perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> > >
> >>>>>>>>>> LDAP error -2
> >>>>>>>>>> (Local error)
> >>>>>>>>>> (SASL(-1):
> >>>>>>>>>> generic
> >>>>>>>>>> failure:
> GSSAPI
> >>>>>>>>>> > >
> >>>>>>>>>> Error:
> >>>>>>>>>> Unspecified
> >>>>>>>>>> GSS failure.
> >>>>>>>>>> Minor code
> >>>>>>>>>> may
> provide more
> >>>>>>>>>> > >
> >>>>>>>>>> information
> >>>>>>>>>> (Ticket
> >>>>>>>>>> expired))
> >>>>>>>>>> errno 0
> (Success)
> >>>>>>>>>> > >
> >>>>>>>>>>
> [30/Jun/2014:12:51:40
> >>>>>>>>>> +0800]
> >>>>>>>>>>
> slapi_ldap_bind -
> >>>>>>>>>> Error:
> could not
> >>>>>>>>>> > >
> >>>>>>>>>> perform
> >>>>>>>>>> interactive
> >>>>>>>>>> bind for
> id []
> >>>>>>>>>> mech
> [GSSAPI]:
> >>>>>>>>>> error -2
> >>>>>>>>>> > (Local
> >>>>>>>>>> error)
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> 2014-07-02
> >>>>>>>>>> 12:32
> >>>>>>>>>> GMT+08:00
> >>>>>>>>>>
> <barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >>>>>>>>>> >
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>
> >>>>>>>>>> > >
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> >>>>>>>>>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>>>:
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> yes on node
> >>>>>>>>>> 1 it is
> >>>>>>>>>> happening
> only
> >>>>>>>>>> node2
> fail connect
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>>
> >>>>>>>>>>
> ipa-replica-manage
> >>>>>>>>>> list
> 2.abc.com <http://2.abc.com>
> >>>>>>>>>>
> <http://2.abc.com>
> >>>>>>>>>>
> <http://2.abc.com>
> >>>>>>>>>> >
> >>>>>>>>>>
> <http://2.abc.com>
> >>>>>>>>>> > >
> >>>>>>>>>> Directory
> >>>>>>>>>> Manager
> password:
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>>
> 1.abc.com <http://1.abc.com>
> >>>>>>>>>>
> <http://1.abc.com>
> >>>>>>>>>>
> <http://1.abc.com>
> >>>>>>>>>>
> <http://1.abc.com>:
> >>>>>>>>>> replica
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>> 2014-06-30
> >>>>>>>>>> 20:59
> >>>>>>>>>> GMT+08:00 Rob
> >>>>>>>>>> Crittenden
> >>>>>>>>>> >
> >>>>>>>>>>
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
> >>>>>>>>>> > >
> >>>>>>>>>>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> >>>>>>>>>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>>>:
> >>>>>>>>>> > >
> >>>>>>>>>> > >
> >>>>>>>>>>
> Barry wrote:
> >>>>>>>>>> > >
> >>>>>>>>>> > Hi:
> >>>>>>>>>> > >
> >>>>>>>>>>
> >>>>> ...
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>
> >>
> >
> >
> >
>
>
More information about the Freeipa-users
mailing list