[Freeipa-users] 3.0.0-42 Replication issue after Centos6.5->6.6 upgrade

dbischof at hrz.uni-kassel.de dbischof at hrz.uni-kassel.de
Tue Nov 18 13:05:04 UTC 2014 

Hi,

On Fri, 7 Nov 2014, Dmitri Pal wrote:

> On 11/07/2014 01:24 AM, Will Sheldon wrote:
>> On November 6, 2014 at 10:07:54 PM, Dmitri Pal (dpal at redhat.com 
>> <mailto:dpal at redhat.com>) wrote:
>>> On 11/07/2014 12:18 AM, Will Sheldon wrote:
>>>> 
>>>> On the whole we are loving FreeIPA, Many thanks and much respect to 
>>>> all involved, we’ve had a great 12-18 months hassle free use out of 
>>>> it - it is a fantastically stable trouble free solution… however now 
>>>> we’ve run into a small issue we (as mere mortals) are finding it hard 
>>>> to resolve :-/
>>>> 
>>>> We upgraded our ipa servers (3.0.0-42) to Centos 6.6. everything 
>>>> seems to go well, but one server is behaving oddly. It’s likely not 
>>>> an IPA issue, it also reset it’s hostname somehow after the upgrade 
>>>> (it’s an image in an openstack environment)
>>>> 
>>>> If anyone has any pointers as to how to debug I’d be hugely 
>>>> appreciative :)
>>>> 
>>>> Two servers, server1.domain.com and server2.domain.com
>>>> 
>>>> Server1 can’t push data to server2, there are updates and new records 
>>>> on server1 that do not exist on server2.
>>>> 
>>>> 
>>>> from the logs on server1:
>>>> 
>>>> [07/Nov/2014:01:33:42 +0000] NSMMReplicationPlugin - 
>>>> agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to send 
>>>> endReplication extended operation (Can't contact LDAP server)
>>>> [07/Nov/2014:01:33:47 +0000] NSMMReplicationPlugin - 
>>>> agmt="cn=meToserver2.domain.com" (server2:389): Replication bind with 
>>>> GSSAPI auth resumed
>>>> [07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin - 
>>>> agmt="cn=meToserver2.domain.com" (server2:389): Warning: unable to 
>>>> replicate schema: rc=2
>>>> [07/Nov/2014:01:33:48 +0000] NSMMReplicationPlugin - 
>>>> agmt="cn=meToserver2.domain.com" (server2:389): Consumer failed to replay 
>>>> change (uniqueid (null), CSN (null)): Can't contact LDAP server(-1). Will 
>>>> retry later.
>>> 
>>> Try to see
>>> a) Server 1 properly resolves server 2
>>> b) You can connect from server 1 to server 2 using ldapsearch
>>> c) your firewall has proper ports open
>>> d) dirserver on server 2 is actually running
>> 
>> All seems working:
>> 
>> [root at server1 ~]# ldapsearch -x -H ldap://server2.domain.com -s base -b '' 
>> namingContexts
>
> Can you try kinit admin and then use kerberos GSSAPI to connect, i.e. -Y 
> switch?

is this resolved? I observe it on my systems, too. Exact same symptoms. 
ldapsearch with "-Y GSSAPI" works.

> Did you find anything in the server2 logs?

On my "server2", I see "sasl_io_recv failed to decode packet for 
connection #".

Could there be something wrong with default buffer sizes as described in 
https://bugzilla.redhat.com/show_bug.cgi?id=953653

I have nsslapd-sasl-max-buffer-size: 65536 on both machines, but my 
database is rather small: ~30 users, <10 hosts and services.

>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope baseObject
>> # filter: (objectclass=*)
>> # requesting: namingContexts
>> #
>> 
>> #
>> dn:
>> namingContexts: dc=domain,dc=com
>> 
>> # search result
>> search: 2
>> result: 0 Success
>> 
>> # numResponses: 2
>> # numEntries: 1
>> [root at server1 ~]#
>> 
>> And:
>> 
>> [root at server2 ~]# /etc/init.d/dirsrv status
>> dirsrv DOMAIN-COM (pid 1009) is running...
>> dirsrv PKI-IPA (pid 1083) is running...
>> [root at server2 ~]#
>> 
>>> 
>>> Check logs on server 2 to see whether it actually sees an attempt to 
>>> connect, I suspect not, so it is most likely a DNS/FW issue or dir server 
>>> is not running on 2.
>>>> 
>>>> 
>>>> and the servers:
>>>> 
>>>> [root at server1 ~]# ipa-replica-manage list -v `hostname`
>>>> Directory Manager password:
>>>> 
>>>> server2.domain.com: replica
>>>> last init status: None
>>>> last init ended: None
>>>> last update status: 0 Replica acquired successfully: Incremental update 
>>>> started
>>>> last update ended: 2014-11-07 01:35:58+00:00
>>>> [root at server1 ~]#
>>>> 
>>>> 
>>>> 
>>>> [root at server2 ~]# ipa-replica-manage list -v `hostname`
>>>> Directory Manager password:
>>>> 
>>>> server1.domain.com: replica
>>>> last init status: None
>>>> last init ended: None
>>>> last update status: 0 Replica acquired successfully: Incremental update 
>>>> succeeded
>>>> last update ended: 2014-11-07 01:35:43+00:00
>>>> [root at server2 ~]#


Mit freundlichen Gruessen/With best regards,

--Daniel.

More information about the Freeipa-users mailing list