[Freeipa-users] 3.0.0-42 Replication issue after Centos6.5->6.6 upgrade

Dmitri Pal dpal at redhat.com
Fri Nov 7 20:28:41 UTC 2014 

On 11/07/2014 01:24 AM, Will Sheldon wrote:
> On November 6, 2014 at 10:07:54 PM, Dmitri Pal (dpal at redhat.com 
> <mailto:dpal at redhat.com>) wrote:
>> On 11/07/2014 12:18 AM, Will Sheldon wrote:
>>>
>>> Hello all :)
>>>
>>> On the whole we are loving FreeIPA, Many thanks and much respect to 
>>> all involved, we’ve had a great 12-18 months hassle free use out of 
>>> it  - it is a fantastically stable trouble free solution… however 
>>> now we’ve run into a small issue we (as mere mortals) are finding it 
>>> hard to resolve :-/
>>>
>>> We upgraded our ipa servers (3.0.0-42) to Centos 6.6. everything 
>>> seems to go well, but one server is behaving oddly. It’s likely not 
>>> an IPA issue, it also reset it’s hostname somehow after the upgrade 
>>> (it’s an image in an openstack environment)
>>>
>>> If anyone has any pointers as to how to debug I’d be hugely 
>>> appreciative :)
>>>
>>> Two servers, server1.domain.com and server2.domain.com
>>>
>>> Server1 can’t push data to server2, there are updates and new 
>>> records on server1 that do not exist on server2.
>>>
>>>
>>> from the logs on server1:
>>>
>>> [07/Nov/2014:01:33:42 +0000] NSMMReplicationPlugin - 
>>> agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to 
>>> send endReplication extended operation (Can't contact LDAP server)
>>> [07/Nov/2014:01:33:47 +0000] NSMMReplicationPlugin - 
>>> agmt="cn=meToserver2.domain.com" (server2:389): Replication bind 
>>> with GSSAPI auth resumed
>>> [07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin - 
>>> agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to 
>>> replicate schema: rc=2
>>> [07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin - 
>>> agmt="cn=meToserver2.domain.com" (server2:389): Consumer failed to 
>>> replay change (uniqueid (null), CSN (null)): Can't contact LDAP 
>>> server(-1). Will retry later.
>>
>> Try to see
>> a) Server 1 properly resolves server 2
>> b) You can connect from server 1 to server 2 using ldapsearch
>> c) your firewall has proper ports open
>> d) dirserver on server 2 is actually running
>
> All seems working:
>
> [root at server1 ~]# ldapsearch -x -H ldap://server2.domain.com -s base 
> -b '' namingContexts

Can you try kinit admin and then use kerberos GSSAPI to connect, i.e. -Y 
switch?

Did you find anything in the server2 logs?

> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: namingContexts
> #
>
> #
> dn:
> namingContexts: dc=domain,dc=com
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root at server1 ~]#
>
> And:
>
> [root at server2 ~]# /etc/init.d/dirsrv status
> dirsrv DOMAIN-COM (pid 1009) is running...
> dirsrv PKI-IPA (pid 1083) is running...
> [root at server2 ~]#
>
>
>
>>
>>
>> Check logs on server 2 to see whether it actually sees an attempt to 
>> connect, I suspect not, so it is most likely a DNS/FW issue or dir 
>> server is not running on 2.
>>>
>>>
>>> and the servers:
>>>
>>> [root at server1 ~]# ipa-replica-manage list -v `hostname`
>>> Directory Manager password:
>>>
>>> server2.domain.com: replica
>>> last init status: None
>>> last init ended: None
>>> last update status: 0 Replica acquired successfully: Incremental 
>>> update started
>>> last update ended: 2014-11-07 01:35:58+00:00
>>> [root at server1 ~]#
>>>
>>>
>>>
>>> [root at server2 ~]# ipa-replica-manage list -v `hostname`
>>> Directory Manager password:
>>>
>>> server1.domain.com: replica
>>> last init status: None
>>> last init ended: None
>>> last update status: 0 Replica acquired successfully: Incremental 
>>> update succeeded
>>> last update ended: 2014-11-07 01:35:43+00:00
>>> [root at server2 ~]#
>>>
>>>
>>>
>>>
>>> Will Sheldon
>>>
>>>
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141107/1949beb9/attachment.htm>

More information about the Freeipa-users mailing list