[Freeipa-users] Migration error?

[Rob Crittenden]

Janelle wrote:
> On 6/15/15 6:36 AM, Rob Crittenden wrote:
>> Janelle wrote:
>>> Good morning and happy Monday,
>>>
>>> I have a strange problem. Wondering if anyone has seen this before in
>>> trying to run an ipa migrate-ds?
>>>
>>> ipa: ERROR: The search criteria was not specific enough. Expected 1 and
>>> found 2.
>>>
>>> The migration worked previously, but now, in order to try and update
>>> some missing accounts that were added, now it no longer works and
>>> generates this error. I can't find anyway to get verbose information to
>>> found out what it is finding "2" of?
>>
>> Usually means there is a replication conflict entry. You may be able
>> to get more details on what failed by looking at the LDAP access log
>> of both LDAP servers, though I guess I'd expect this happened locally
>> on the IPA box.
>>
>> rob
>>
> I found the problem, but now when trying to re-init from a good server
> using ipa-replica-manage re-initialize, I get:
>
> TLS error -8172:Peer's certificate issuer has been marked as not trusted
> by the user.
>
> But how does THIS happen??
> ~J

I don't know, I'd be curious to know if you can tell more context around 
where it failed (it may be opaque, or at least you'd have to dig 
carefully through both access logs to find it).

The first thing that happens is the agreement is looked up on both 
sides, the both sides are enabled, then a force sync is done, then 
replication is reinitialized. It could blow up at any point.

Given that it sounds like you are deploying multiple IPA installations, 
potentially with the same realm name, is it possible that you 
reinitialized from a master unknown to the server (e.g. in a different 
IPA install)?

That or the 389-ds NSS database on one side or another was modified 
somehow. It must have worked at one time because TLS is used for 
replication during the installation.

rob