[Freeipa-users] 3.0.0-42 Replication issue after Centos6.5->6.6 upgrade

thierry bordaz tbordaz at redhat.com
Fri Nov 21 10:51:39 UTC 2014 

On 11/21/2014 10:59 AM, dbischof at hrz.uni-kassel.de wrote:
> Hi,
>
> On Thu, 20 Nov 2014, thierry bordaz wrote:
>
>> On 11/20/2014 12:03 PM, dbischof at hrz.uni-kassel.de wrote:
>>>
>>> On Thu, 20 Nov 2014, thierry bordaz wrote:
>>>
>>>> Server1 successfully replicated to Server2, but Server2 fails to 
>>>> replicated to Server1.
>>>>
>>>> The replication Server2->Server1 is done with kerberos 
>>>> authentication. Server1 receives the replication session, 
>>>> successfully identify the replication manager, start to receives 
>>>> replication extop but suddenly closes the connection.
>>>>
>>>>
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 fd=78 slot=78 connection from
>>>>   xxx to yyy
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=0 BIND dn="" method=sasl
>>>>   version=3 mech=GSSAPI
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=0 RESULT err=14 tag=97
>>>>   nentries=0 etime=0, SASL bind in progress
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=1 BIND dn="" method=sasl
>>>>   version=3 mech=GSSAPI
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=1 RESULT err=14 tag=97
>>>>   nentries=0 etime=0, SASL bind in progress
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=2 BIND dn="" method=sasl
>>>>   version=3 mech=GSSAPI
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=2 RESULT err=0 tag=97
>>>>   nentries=0 etime=0 dn="krbprincipalname=xxx"
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=3 SRCH base="" scope=0
>>>>   filter="(objectClass=*)" attrs="supportedControl supportedExtension"
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=3 RESULT err=0 tag=101
>>>>   nentries=1 etime=0
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=4 SRCH base="" scope=0
>>>>   filter="(objectClass=*)" attrs="supportedControl supportedExtension"
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=4 RESULT err=0 tag=101
>>>>   nentries=1 etime=0
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=5 EXT
>>>>   oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=5 RESULT err=0 tag=120
>>>>   nentries=0 etime=0
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=6 SRCH base="cn=schema"
>>>>   scope=0 filter="(objectClass=*)" attrs="nsSchemaCSN"
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=6 RESULT err=0 tag=101
>>>>   nentries=1 etime=0
>>>>   [19/Nov/2014:14:21:39 +0100] conn=2980 op=-1 fd=78 closed - I/O
>>>>   function error.
>>>>
>>>> The reason of this closure is logged in server1 error log. 
>>>> sasl_decode fails to decode a received PDU.
>>>>
>>>>   [19/Nov/2014:14:21:39 +0100] - sasl_io_recv failed to decode packet
>>>>   for connection 2980
>>>>
>>>> I do not know why it fails but I wonder if the received PDU is not 
>>>> larger than the maximum configured value. The attribute 
>>>> nsslapd-maxsasliosize is set to 2Mb by default. Would it be 
>>>> possible to increase its value (5Mb) to see if it has an impact
>>>>
>>>> [...]
>>>
>>> I set nsslapd-maxsasliosize to 6164480 on both machines, but the 
>>> problem remains.
>>
>> The sasl-decode fails but the exact returned value is not logged. 
>> With standard version we may need to attach a debugger and then set a 
>> conditional breakpoint in sasl-decode just after conn->oparams.decode 
>> that will fire if result !=0. Now this can change the dynamic and 
>> possibly prevent the problem to occur again. The other option is to 
>> use an instrumented version to log this value.
>
> If I understand the mechanism correctly, Server1 needs to have debug 
> versions of the relevant packages (probably 389-ds-base and 
> cyrus-sasl) installed in order to track down the problem. 
> Unfortunately, my Server1 is in production use - if I break it, my 
> colleagues will grab forks and torches and be after me. A short 
> downtime would be ok, though.
>
> Is there something else I could do?

Hello,

Sure I do not want to trigger so much trouble ;-)


I think my email was not clear. To go further we would need to know the 
exact reason why sasl_decode fails. I see two options:

  * Prepare a debug version, that would report in the error logs the
    returned valud of sasl_decode (when it fails). Except downtime to
    install the debug version, it has no impact in production.

  * Do a debug session (gdb) on Server1. The debug session will install
    a breakpoint at a specific place, let the server run, catch the
    sasl_decode failure and note the return code, exit from debugger.
    When the problem occurs, it happens regularly (each 5 seconds) so we
    should not have to wait long.
    That means that debugging Server1 should disturb production for 5 to
    10 min.
    A detailed procedure to do the debug session is required.

thanks
thierry

>
>
> Mit freundlichen Gruessen/With best regards,
>
> --Daniel.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141121/80b90630/attachment.htm>

More information about the Freeipa-users mailing list