[Freeipa-users] Replication error

Petr Vobornik pvoborni at redhat.com
Thu Apr 28 10:49:53 UTC 2016 

On 04/26/2016 02:02 PM, Anton Rubets wrote:
> Hhi all
> 
> I have issues with replication between to FreeIPA server
> 
> In maters log
> 
> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, 
> ldap://ldap2.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, 
> ldap://ldap2.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, 
> ldap://ldap2.domain389/o%3Dipaca) failed.
> [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS 
> request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory)
> 
> 
> On replica server
> 
> 
> [26/Apr/2016:08:38:12 +0000] attrlist_replace - attr_replace (nsslapd-referral, 
> ldap://ldap1.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, 
> ldap://ldap1domain:389/o%3Dipaca) failed.
> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, 
> ldap://ldap1.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, 
> ldap://ldap1.domain:389/o%3Dipaca) failed.

This is a symptom of dangling RUVs (replica update vector) of previously
removed replicas.

It happens when replica is removed using:
  # ipa-replica-manage del $replica
  # ipa-server-install --uninstall (on replica)

without running:
  # ipa-csreplica-manage del $replica
first

resolution is to clear the RUVs manually using clean ruv DS task becase
ipa-csreplica-manage doesn't have support for it. FreeIPA 4.4 will
receive a new command which will handle bot suffixes automatically - #5411.

The instructions can found on the list:
* https://www.redhat.com/archives/freeipa-users/2015-June/msg00386.html
* https://www.redhat.com/archives/freeipa-users/2015-June/msg00416.html

and
* http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html
* or general procedure for future feature:
https://fedorahosted.org/freeipa/ticket/5411#comment:7


Important: Be very careful not to remove RUVs of existing replicas.


> 
> 
> And  i can't find source of this problem. I have checked permission and etc. As 
> i see replica is working but this message disturb my email every few minutes and 
> i wanna somehow fix this. Also I  just migrate from 3.0 to 4.2.
> Info:
> Master :
>   rpm -qa | grep ipa
> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64
> ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64
> sssd-ipa-1.13.0-40.el7_2.2.x86_64
> ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
> libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-iniparse-0.4-9.el7.noarch
> ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
> ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64​
> 
> Replica:
> rpm -qa | grep ipa
> sssd-ipa-1.13.0-40.el7_2.2.x86_64
> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64
> libipa_hbac-1.13.0-40.el7_2.2.x86_64
> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64
> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64
> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-iniparse-0.4-9.el7.noarch
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64​
> 
> 
> Best Regards
> Anton Rubets
-- 
Petr Vobornik

More information about the Freeipa-users mailing list