[Freeipa-users] FreeIPA web UI Freezing up
Rich Megginson
rmeggins at redhat.com
Mon Jun 8 19:06:48 UTC 2015
On 06/08/2015 12:49 PM, nathan at nathanpeters.com wrote:
>> On 06/08/2015 10:18 AM, nathan at nathanpeters.com wrote:
>> This looks like incremental update is successful . . .
>>
>>> nsds5replicaUpdateInProgress: FALSE
>>> nsds5replicaLastInitStart: 0
>>> nsds5replicaLastInitEnd: 0
>> . . . but this indicates that the sync agreement has never been
>> initialized, which would also correspond to the errors below. I'm
>> really puzzled as to how sync could possibly work if it has never been
>> initialized. And I'm also not sure how you could have created the sync
>> agreement using the IPA command line tools without initializing the
>> agreement. AFAIK, the only way to get rid of the errors is to
>> reinitialize http://linux.die.net/man/1/ipa-replica-manage
> OK, more troubleshooting and I think I discovered the problem. Making the
> sync agreement into a one way sync from windows to ipa seems to break the
> agreement by uninitializing it? Not sure how to fix this, but here is the
> logs to prove that is the step that is breaking it.
>
> ============================
> try to create sync agreement
> ============================
>
> [root at dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa
> syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw
> <secret> --passsync <secret> --cacert /etc/openldap/cacerts/addomain.cer
> officedc2.office.addomain.net --win-subtree
> "OU=Staff,DC=office,DC=addomain,DC=net" -v
> Directory Manager password:
>
> winsync agreement already exists on subtree
> OU=Staff,DC=office,DC=addomain,DC=net
>
> =================================
> failed because it already existed so disconnect
> =================================
>
> [root at dc1 ~]# ipa-replica-manage disconnect officedc2.office.addomain.net
> Directory Manager password:
>
> Deleted replication agreement from 'dc1.ipadomain.net' to
> 'officedc2.office.addomain.net'
>
> ============================
> try to create sync agreement
> ============================
>
> [root at dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa
> syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw
> a5Ryj2N4EAvjFLJelWOQ --passsync MVQXHEturhjqoFXGvUcH --cacert
> /etc/openldap/cacerts/addomain.cer officedc2.office.addomain.net
> --win-subtree "OU=Staff,DC=office,DC=addomain,DC=net" -v
> Directory Manager password:
>
> Added CA certificate /etc/openldap/cacerts/addomain.cer to certificate
> database for dc1.ipadomain.net
> ipa: INFO: AD Suffix is: DC=office,DC=addomain,DC=net
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
> Windows PassSync system account exists, not resetting password
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
> acquired successfully: Incremental update started: start: 0: end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update in progress, 57 seconds elapsed
> Update succeeded
>
> Connected 'dc1.ipadomain.net' to 'officedc2.office.addomain.net'
>
> =====================================
> confirm that init values are non zero
> =====================================
>
> [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
> objectclass=nsDSWindowsReplicationAgreement
> Enter LDAP Password:
> dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
> \2Cdc\3Dnet,cn=mapping tree,cn=config
> nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
> nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
> cn: meToofficedc2.office.addomain.net
> nsds7NewWinGroupSyncEnabled: false
> objectClass: nsDSWindowsReplicationAgreement
> objectClass: top
> nsDS5ReplicaTransportInfo: TLS
> description: me to officedc2.office.addomain.net
> nsDS5ReplicaRoot: dc=ipadomain,dc=net
> nsDS5ReplicaHost: officedc2.office.addomain.net
> nsds5replicaTimeout: 120
> nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
> Account,dc=office,dc=addomain,dc=net
> nsds7NewWinUserSyncEnabled: true
> nsDS5ReplicaPort: 389
> nsds7WindowsDomain: ipadomain.net
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
> nsDS5ReplicaBindMethod: simple
> nsDS5ReplicaCredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
> RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
> I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
> nsds7DirsyncCookie::
> TVNEUwMAAADdp7tcGKLQAQAAAAAAAAAAYAEAAAVEoQAAAAAAAAAAAAAAA
> AAFRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6
> 13PwAAAAAADGzFNzznrESIxHzA74fbs72tMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm
> PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+9xBIgAAAAAA4qTQaC46/Ua4KXgP
> /ixNcdrfVAAAAAAAWowbgYD1akibZ+sCul5C4e9kLQAAAAAAxSO4iapVmEGQ6R23bgLQiwVEoQAAA
> AAAogC6jFcyFUmhBp4B7FkaBQwfnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU
> mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90
> NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 20150608182349Z
> nsds5replicaLastUpdateEnd: 20150608182349Z
> nsds5replicaChangesSentSinceStartup:
> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
> upd
> ate succeeded
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 20150608182251Z
> nsds5replicaLastInitEnd: 20150608182349Z
> nsds5replicaLastInitStatus: 0 Total update succeeded
>
> ============================================================
> now i update the ldap tree to do a one way sync with windows
> ============================================================
>
> -----------
> Expanding base
> 'cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping
> tree,cn=config'...
> Getting 1 entries:
> Dn:
> cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping
> tree,cn=config
> cn: meToofficedc2.office.addomain.net;
> description: me to officedc2.office.addomain.net;
> nsds50ruv (3): {replicageneration} 553fe9bb000000040000; {replica 4
> ldap://dc1.ipadomain.net:389} 553fe9c9000000040000 5575dff8000000040000;
> {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c4000000030000
> 557244db001700030000;
> nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
> Account,dc=office,dc=addomain,dc=net;
> nsDS5ReplicaBindMethod: simple;
> nsds5replicaChangesSentSinceStartup: 4:35/0 ;
> nsDS5ReplicaCredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdmI0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=;
> nsDS5ReplicaHost: officedc2.office.addomain.net;
> nsds5replicaLastInitEnd: 0;
> nsds5replicaLastInitStart: 0;
> nsds5replicaLastUpdateEnd: 20150608183351Z;
> nsds5replicaLastUpdateStart: 20150608183350Z;
> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
> update succeeded;
> nsDS5ReplicaPort: 389;
> nsds5replicareapactive: 0;
> nsDS5ReplicaRoot: dc=ipadomain,dc=net;
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth
> krbloginfailedcount;
> nsds5replicaTimeout: 120;
> nsDS5ReplicaTransportInfo: TLS;
> nsds5replicaUpdateInProgress: FALSE;
> nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net;
> nsds7DirsyncCookie: <ldp: Binary blob 420 bytes>;
> nsds7NewWinGroupSyncEnabled: false;
> nsds7NewWinUserSyncEnabled: true;
> nsds7WindowsDomain: ipadomain.net;
> nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net;
> nsruvReplicaLastModified (2): {replica 4 ldap://dc1.ipadomain.net:389}
> 5575df5e; {replica 3 ldap://dc2.ipadomain.net:389} 00000000;
> objectClass (2): nsDSWindowsReplicationAgreement; top;
> oneWaySync: fromWindows;
> -----------
>
>
> [root at dc1 ~]# ipactl restart
> Restarting Directory Service
> Restarting krb5kdc Service
> Restarting kadmin Service
> Restarting named Service
> Restarting ipa_memcached Service
> Restarting httpd Service
> Restarting pki-tomcatd Service
> Restarting smb Service
> Restarting winbind Service
> Restarting ipa-otpd Service
> Restarting ipa-dnskeysyncd Service
> ipa: INFO: The ipactl command was successful
>
> =================================================
> now run search to see if agreement is still valid
> =================================================
>
> [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
> objectclass=nsDSWindowsReplicationAgreement
> Enter LDAP Password:
> dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
> \2Cdc\3Dnet,cn=mapping tree,cn=config
> nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
> nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
> cn: meToofficedc2.office.addomain.net
> nsds7NewWinGroupSyncEnabled: false
> objectClass: nsDSWindowsReplicationAgreement
> objectClass: top
> nsDS5ReplicaTransportInfo: TLS
> description: me to officedc2.office.addomain.net
> nsDS5ReplicaRoot: dc=ipadomain,dc=net
> nsDS5ReplicaHost: officedc2.office.addomain.net
> nsds5replicaTimeout: 120
> nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
> Account,dc=office,dc=addomain,dc=net
> nsds7NewWinUserSyncEnabled: true
> nsDS5ReplicaPort: 389
> nsds7WindowsDomain: ipadomain.net
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
> nsDS5ReplicaBindMethod: simple
> nsDS5ReplicaCredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
> RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
> I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
> nsds7DirsyncCookie::
> TVNEUwMAAAAJUnAmGaLQAQAAAAAAAAAAYAEAAIREoQAAAAAAAAAAAAAAA
> ACERKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6
> 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm
> PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP
> /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi4REoQAAA
> AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU
> mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90
> NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA
> oneWaySync: fromWindows
> nsds50ruv: {replicageneration} 553fe9bb000000040000
> nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
> 000000040000 5575df31000000040000
> nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
> 4000000030000 557244db001700030000
> nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
> t:389} 5575de97
> nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n
> et:389} 00000000
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 20150608182928Z
> nsds5replicaLastUpdateEnd: 20150608182928Z
> nsds5replicaChangesSentSinceStartup:: NDoyOC8wIA==
> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
> upd
> ate succeeded
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 0
> nsds5replicaLastInitEnd: 0
>
> ==============
> um WTF? making it a one way only agreement invalidates the lastinitstart
> value?
> ==============
Looks like a bug.
>
> =================================================================================
> troubleshooting : removing oneWaySync: fromWindows and see if problem
> still exists
> =================================================================================
>
> [root at dc1 ~]# ipactl restart
> Restarting Directory Service
> Restarting krb5kdc Service
> Restarting kadmin Service
> Restarting named Service
> Restarting ipa_memcached Service
> Restarting httpd Service
> Restarting pki-tomcatd Service
> Restarting smb Service
> Restarting winbind Service
> Restarting ipa-otpd Service
> Restarting ipa-dnskeysyncd Service
> ipa: INFO: The ipactl command was successful
>
> [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
> objectclass=nsDSWindowsReplicationAgreement
> Enter LDAP Password:
> dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
> \2Cdc\3Dnet,cn=mapping tree,cn=config
> nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
> nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
> cn: meToofficedc2.office.addomain.net
> nsds7NewWinGroupSyncEnabled: false
> objectClass: nsDSWindowsReplicationAgreement
> objectClass: top
> nsDS5ReplicaTransportInfo: TLS
> description: me to officedc2.office.addomain.net
> nsDS5ReplicaRoot: dc=ipadomain,dc=net
> nsDS5ReplicaHost: officedc2.office.addomain.net
> nsds5replicaTimeout: 120
> nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
> Account,dc=office,dc=addomain,dc=net
> nsds7NewWinUserSyncEnabled: true
> nsDS5ReplicaPort: 389
> nsds7WindowsDomain: ipadomain.net
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
> nsDS5ReplicaBindMethod: simple
> nsDS5ReplicaCredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
> RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
> I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
> nsds7DirsyncCookie::
> TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA
> ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6
> 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm
> PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP
> /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA
> AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU
> mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90
> NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA
> nsds50ruv: {replicageneration} 553fe9bb000000040000
> nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
> 000000040000 5575dff8000000040000
> nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
> 4000000030000 557244db001700030000
> nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
> t:389} 5575df5e
> nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n
> et:389} 00000000
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 20150608183216Z
> nsds5replicaLastUpdateEnd: 20150608183216Z
> nsds5replicaChangesSentSinceStartup:: NDozMC8wIA==
> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
> upd
> ate succeeded
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 0
> nsds5replicaLastInitEnd: 0
>
> =====================================================
> hmmm, problem still exists and not sure how to fix it
> =====================================================
>
ipa-replica-manage re-initialize?
More information about the Freeipa-users
mailing list