[Freeipa-users] CSN not found

lejeczek peljasz at yahoo.co.uk
Thu Nov 3 16:49:56 UTC 2016 


On 03/11/16 14:16, Mark Reynolds wrote:
>
> On 11/03/2016 09:42 AM, lejeczek wrote:
>> hi everybody
>>
>> my three IPAs have gone haywire, two things I recall: one - one server
>> was on ScientificL with slightly lower minor version of IPA, two -
>> another server (of the two identical CEntOSes) had skewed time.
>> Not all there servers are in time-sync and all run same version of IPA
here I meant: Now all there....
>> but replication broke with errors like:
>>
>>
>> $ ipa-replica-manage re-initialize --from rider --force
>>
>> ..
>> [03/Nov/2016:13:21:08 +0000] NSACLPlugin - The ACL target
>> cn=casigningcert
>> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x
>> does not exist
>> [03/Nov/2016:13:21:08 +0000] NSACLPlugin - The ACL target
>> cn=casigningcert
>> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x
>> does not exist
>> [03/Nov/2016:13:21:09 +0000] agmt="cn=meToswir.xx.xx.xx.xx.x"
>> (swir:389) - Can't locate CSN 581b120f000500040000 in the changelog
>> (DB rc=-30988). If replication stops, the consumer may need to be
>> reinitialized.
>> [03/Nov/2016:13:21:09 +0000] NSMMReplicationPlugin - changelog program
>> - agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): CSN
>> 581b120f000500040000 not found, we aren't as up to date, or we purged
>> [03/Nov/2016:13:21:09 +0000] NSMMReplicationPlugin -
>> agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Data required to update
>> replica has been purged. The replica must be reinitialized.
>> [03/Nov/2016:13:21:09 +0000] NSMMReplicationPlugin -
>> agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Incremental update failed
>> and requires administrator action
>>
>> I did dbscan -f /var.../cb941....db on all three servers and greped
>> but cannot see that 581b120f000500040000
>>
>> where to troubleshoot?
> What version of 389 do you have:
>
> rpm -qa | grep 389-ds-base
>
> Did you check the changelog database for 581b120f000500040000:
>
> dbscan -f /var/lib/dirsrv/slapd-INSTANCE/db/changelogdb
results of above scan do not look like that CSN form 
reported in dirsrv's error log, it is:
..
=116156
=116157
=116158
..
>
> What about the access logs?  Do you see the CSN there?
>
> I've seen this issue before where a CSN is missing, which breaks the
> replication agreements, but the CSN does get added to the changelog
> after a few seconds.  The only way to fix replication is to restart the
> server, or disable/enable the replication agreements(basically restart
> them).
restarting is not possible for the systemctl start ipa 
fails, though system start dirsrv at ... succeeds
what would be correct process of removing repl agreements? 
I'm trying disconnect/del but am not sure if this is the way.

> Thanks,
> Mark
>> many thanks.
>> L
>>

More information about the Freeipa-users mailing list