[Freeipa-users] I think I have an issue, but maybe not.....Is IPA Replica Clean-up Needed?
Rob Crittenden
rcritten at redhat.com
Thu Mar 3 20:30:15 UTC 2016
Auerbach, Steven wrote:
> We have IPA set up in active-active mode. The first node (ipa01) logs
> errors regularly (every few minutes) that seem to be based upon an
> attempt to communicate with a replica that no longer exists.
>
>
>
> Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust
> "timeout" parameter
>
> Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust
> "timeout" parameter
>
> Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust
> "timeout" parameter
>
> Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust
> "timeout" parameter
>
> Feb 25 14:38:22 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Cannot contact any KDC for
> <<REALM>> '<<REALM>>.LOCAL')
>
> Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust
> "timeout" parameter
>
> Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust
> "timeout" parameter
>
> Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust
> "timeout" parameter
>
> Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust
> "timeout" parameter
>
> Feb 25 14:38:45 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Server
> ldap/ipa02.<<REALM>>.local@<<REALM>>.LOCAL not found in Kerberos database)
>
>
>
> The only place I found any references to the server ipa02 is in dse.ldif
> files in the /etc/dirsrv/slapd-<<REALM>>-LOCAL/ folders
>
>
>
> Quoted from dse.ldif:
>
> dn: cn=replica,cn=dc\3D<<REALM>>\2Cdc\3Dlocal,cn=mapping tree,cn=config
>
> cn: replica
>
> nsDS5Flags: 1
>
> objectClass: top
>
> objectClass: nsds5replica
>
> objectClass: extensibleobject
>
> nsDS5ReplicaType: 3
>
> nsDS5ReplicaRoot: dc=<<REALM>>,dc=local
>
> nsds5ReplicaLegacyConsumer: off
>
> nsDS5ReplicaId: 4
>
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>
> _nsDS5ReplicaBindDN:
> krbprincipalname=ldap/ipa02._<<REALM>>.local@<<REALM>>.LOCAL,cn=services,cn=accounts,dc=<<REALM>>,dc=local
>
> _nsDS5ReplicaBindDN:
> krbprincipalname=ldap/ipa-r02._<<REALM>>.local@<<REALM>>.LOCAL,cn=services,cn=accounts,dc=<<REALM>>,dc=local
>
> creatorsName: cn=directory manager
>
> modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
>
> createTimestamp: 20130924144354Z
>
> modifyTimestamp: 20160225194116Z
>
> nsState:: BAAAAAAAAADcWM9WAAAAAAEAAAAAAAAAZQAAAAAAAAADAAAAAAAAAA==
>
> nsDS5ReplicaName: a5641a0e-252711e3-96afcc83-6ff9b802
>
> numSubordinates: 1
>
>
>
>
>
> When I execute ipa-replica-manage list from either the master or
> replica server I get the same response:
>
> ipa01.<<REALM>>.local: master
>
> ipa-r02.<<REALM>>.local: master
You should run it as this on each host:
$ ipa-replica-manage list -v `hostname`
This will show the current agreements it has and the status.
>
>
> and when I execute ipa-csreplica-manage list from either the master or
> the replica server I get the same response:
>
> ipa01.<<REALM>>.local: master
>
> ipa-r02.<<REALM>>.local: CA not configured
You should strongly consider adding a second CA. Right now you have a
single point of failure.
>
> I would have expected one of these commands to include the ipa02
> server as well since it is in the dse.ldif file.
>
>
>
> I know we are configured in active-active mode and that the CA is only
> on ipa01.
389-ds uses multi-master replication. active-active is typically a term
used with load balancers and clusters and this isn't really that.
>
>
> From an operating perspective, identity management operations (including
> signing on to the browser-based interface and updates made one server
> showing up on the other) from the replica (ipa-r02) are much faster than
> from the master (ipa01). I am guessing that this is because any task
> executing on the replica has only a replica pointer to the master,
> whereas any operation on the master that tries to replicate has to
> timeout on the invalid pointer to ipa02 before it can actually
> communicate with the replica (ipa-r02). Of course my intuition could be
> completely wrong and my actual understanding of how this process works
> is nil.
I'm not intimately familiar with low-level 389-ds replication but I
don't believe it is done serially.
>
> I would like to clean up this environment before I hand the reins over
> to the next person on my team.
>
>
>
> So my questions are:
>
> 1) Is there a way to remove the invalid pointer without having to
> disrupt services on the ipa01?
The ipa-replica-manage command will show the current agreements.
Removing a stale one won't affect operations.
> 2) Do I need to clean this up in this location at all?
If there is bogus agreement then yes. It is a resource drag as the
server needs to calculate and store any changes for something that will
never get sent.
rob
>
>
>
> Thanks for your interest.
>
>
>
>
>
> *Steven Auerbach, Systems Administrator*
>
>
>
More information about the Freeipa-users
mailing list