[Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
nathan at nathanpeters.com
nathan at nathanpeters.com
Thu May 14 19:56:22 UTC 2015
> On 05/14/2015 04:58 AM, nathan at nathanpeters.com wrote:
>> I have tried to setup synchronization between a FreeIPA domain and an AD
>> domain. The certificates are in the right place.
>>
>> [root at ipadc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=sync
>> user,cn=Users,dc=datacenter,dc=addomain,dc=net" --bindpw secretpassword
>> --passsync secretpassword --cacert
>> /etc/openldap/cacerts/addc1-datacenter.cer addc1.datacenter.addomain.net
>> -v
>> Directory Manager password:
>>
>> Added CA certificate /etc/openldap/cacerts/addc1-datacenter.cer to
>> certificate database for ipadc1.ipadomain.net
>> ipa: INFO: AD Suffix is: DC=datacenter,DC=addomain,DC=net
>> The user for the Windows PassSync service is
>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
>> Windows PassSync system account exists, not resetting password
>> ipa: INFO: Added new sync agreement, waiting for it to become ready . .
>> .
>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP
>> error: Connect error: start: 0: end: 0
>> ipa: INFO: Agreement is ready, starting replication . . .
>> Starting replication, please wait until this has completed.
>>
>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP
>> error:
>> Connect error]
>>
>> Failed to start replication
>>
>>
>> This is the system journal while the failure is happening
>>
>> May 14 02:50:39 ipadc1.ipadomain.net systemd[1]: Stopping 389 Directory
>> Server IPADOMAIN-NET....
>> May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error:
>> Can't
>> contact LDAP server: ldap_sync_poll() failed
>> May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: ldap_syncrepl
>> will reconnect in 60 seconds
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ipa
>> :
>> ERROR syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP
>> server"})
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: Traceback
>> (most recent call last):
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File
>> "/usr/libexec/ipa/ipa-dnskeysyncd", line 106, in <module>
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: while
>> ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File
>> "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 349, in
>> syncrepl_poll
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]:
>> add_intermediates=1, add_ctrls=1, all = 0
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File
>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 483, in
>> result4
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ldap_result
>> =
>> self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File
>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 106, in
>> _ldap_call
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: result =
>> func(*args,**kwargs)
>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: SERVER_DOWN:
>> {'desc': "Can't contact LDAP server"}
>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]:
>> ipa-dnskeysyncd.service:
>> main process exited, code=exited, status=1/FAILURE
>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Unit
>> ipa-dnskeysyncd.service entered failed state.
>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Stopped 389 Directory
>> Server IPADOMAIN-NET..
>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Starting 389 Directory
>> Server IPADOMAIN-NET....
>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Started 389 Directory
>> Server IPADOMAIN-NET..
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] SSL Initialization - Configured SSL version range: min: TLS1.0,
>> max: TLS1.2
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: Configured NSS Ciphers
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA:
>> enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>> [14/May/2015:02:50:41
>> +0000] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: connection to
>> the
>> LDAP server was lost
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>> step 1
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>> step 1
>> May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>> 1
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>> step 1
>> May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>> 2
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>> step 2
>> May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>> 3
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: successfully
>> reconnected to LDAP server
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP instance
>> 'ipa' is being synchronized, please ignore message 'all zones loaded'
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error:
>> Can't
>> contact LDAP server: while modifying(replace) entry
>> 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net'
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: retrying LDAP
>> operation (modifying(replace)) on entry
>> 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net'
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error:
>> Can't
>> contact LDAP server: connection error
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>> step 1
>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>> step 1
>> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service
>> holdoff time over, scheduling restart.
>> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Stopping IPA key
>> daemon...
>> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Starting IPA key
>> daemon...
>> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Started IPA key daemon.
>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>> 1
>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>> step 1
>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>> 2
>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>> step 2
>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>> 3
>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: successfully
>> reconnected to LDAP server
>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: zone
>> 19.21.10.in-addr.arpa/IN: loaded serial 1431571902
>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: zone
>> ipadomain.net/IN: loaded serial 1431571901
>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: 2 master zones
>> from LDAP instance 'ipa' loaded (2 zones defined, 0 inactive, 0 failed
>> to
>> load)
>> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1
>> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1
>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>> 1
>> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1
>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>> 2
>> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 2
>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>> 3
>> May 14 02:51:43 ipadc1.ipadomain.net ipa-dnskeysyncd[3318]: ipa
>> :
>> INFO LDAP bind...
>
> CCing Alexander. I wonder if it is related to
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1215010
>
> If your AD has the MS update mentioned in the bug and has a CA cert with
> SHA-512 signing, then may be hitting this bug.
>
Although the AD DC is Server 2012R2, it does not have KB2992611 installed.
I also checked the certificate and it is SHA1RSA not SHA512.
I also ensured that the windows firewall is disabled.
More information about the Freeipa-users
mailing list