[Freeipa-users] Replication stopped working

Martin Kosek mkosek at redhat.com
Fri Sep 5 06:24:35 UTC 2014 

On 09/04/2014 05:11 PM, Guillermo Fuentes wrote:
> Hello list,
> 
> We’re running FreeIPA with a master and 3 replicas. The replication
> stopped working and currently we’re adding resources only to the
> master. This is the environment we have:
> m1:
>   OS: CentOS release 6.5
>   FreeIPA: 3.0.0-37
>   CA: pki-ca-9.0.3
> 
> 
> # ipa-replica-manage list -v `hostname`
> m2.example.com: replica
>   last init status: None
>   last init ended: None
>   last update status: 49  - LDAP error: Invalid credentials
>   last update ended: None
> m3.example.com: replica
>   last init status: None
>   last init ended: None
>   last update status: 0 Replica acquired successfully: Incremental
> update succeeded
>   last update ended: 2014-09-04 14:28:44+00:00
> m4.example.com: replica
>   last init status: None
>   last init ended: None
>   last update status: -2  - LDAP error: Local error
>   last update ended: None
> 
> m2:
>   OS: CentOS release 6.5
>   FreeIPA: 3.0.0-37
> 
> # ipa-replica-manage list -v `hostname`
> m1.example.com: replica
>   last init status: None
>   last init ended: None
>   last update status: -1 Incremental update has failed and requires
> administrator actionLDAP error: Can't contact LDAP server
>   last update ended: 2014-09-03 22:53:21+00:00
> 
> m3:
>   OS: CentOS release 6.5
>   FreeIPA: 3.0.0-37
> 
> # ipa-replica-manage list -v `hostname`
> m1.example.com: replica
>   last init status: None
>   last init ended: None
>   last update status: 0 Replica acquired successfully: Incremental
> update succeeded
>   last update ended: 2014-09-04 14:31:51+00:00
> 
> m4:
>   OS: CentOS release 6.5
>   FreeIPA: 3.3.3-28
> 
> # ipa-replica-manage list -v `hostname`
> m1.example.com: replica
>   last init status: None
>   last init ended: None
>   last update status: 49 Unable to acquire replicaLDAP error: Invalid
> credentials
>   last update ended: None
> 
> 
> Note that although m3 reports “Incremental update succeeded”, users
> created on m1 are not replicated to m3, and users created on m3 are
> not replicated back to m1.
> 
> We’ve tried different things including re-initializing m2.
> 
> Can somebody point me in the right direction to get replication going again?
> 
> Thanks in advance!
> 
> Guillermo

Hello,

I think we would need more troubleshooting information that are available in
/var/log/dirsrv/slapd-EXAMPLE-COM/errors, especially on m2, m3, m4.

Few pointers what I would try myself:
1) Check that all masters have time synced (difference in matter of seconds is OK)

2) Check that DNS is all right - all replicas can resolve master's forward and
reverse address. Master can resolve all replicas forward and reverse address.

This is common source of replication/Kerberos errors
(http://www.freeipa.org/page/Troubleshooting#Kerberos_does_not_work)
The error "Can't contact LDAP server" may point to DNS issues.

3) Check that you can do plain ldapsearch from replica to master. Ideally even
authenticated with keytab from /etc/dirsrv/ds.keytab

HTH,
Martin

More information about the Freeipa-users mailing list