[Freeipa-users] Replication attrlist_replace nsslapd-referral failed
Ludwig Krispenz
lkrispen at redhat.com
Tue Oct 11 07:06:42 UTC 2016
Hi,
you don't specify the version you are using:
If it is 389-ds-base-1.3.4.0-33.el7_2.x86_64
the following may apply:
>>>
we have identified an issue with this version, it includes a fix for
389-ds ticket #48766, which was incomplete and resolved shortly after
the release of this version (it is missing the latest patch for #49766
and for #48954).
You can try to go back to 1.3.4.0-32 or if you have support get a hotfix
from our support.
<<<
Sorry for this,
On 10/11/2016 03:48 AM, Fil Di Noto wrote:
> After an IPA server is re-initialized it immediately begins failing
> incremental updates. I checked the kerberos logs and things appear to
> be ok there, I can manually test LDAP from all servers against all
> other servers.
>
> There is an DS5ReplicaBindDN entry in "dn:
> cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for
> an IPA server that no longer exists. But all IPA living servers have
> an entry for all other living servers.
> There is the correct number of cn=master, and cn=ca, and the
> caRenewalMaster is set on the correct master.
>
> "ipa-replica-manage del --force --clean <server>" does not remove the entry.
>
> There were some RUV from the old servers also and I cleaned them. The
> man page says if a clean is run on the wrong ID then the server should
> be re-initialized, so I just did that on purpose and re-initialized
> the one of the servers and that has cleared the NSMMReplicationPlugin
> error (so far) but I am still getting the attrlist_replace error.
>
> I'm getting no indication of kerberos problems.Could it be the
> NSACLPlugin ? It preceeds the other error every time but that is
> probably just regular startup procedure, and having an ACL for
> something that doesn't exist doesn't feel like a fatal error to me. I
> didn't do the KRA install.
>
> [root at ipa05 slapd-example-com]# tail -f errors
> [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=example,dc=com does not exist
> [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target
> cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not
> exist
> [10/Oct/2016:23:27:57 +0000] agmt="cn=meToipa07.example.com"
> (ipa07:389) - Can't locate CSN 57fc2e7f000a000d0000 in the changelog
> (DB rc=-30988). If replication stops, the consumer may need to be
> reinitialized.
> [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - changelog program
> - agmt="cn=meToipa07.example.com" (ipa07:389): CSN
> 57fc2e7f000a000d0000 not found, we aren't as up to date, or we purged
> [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin -
> agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update
> replica has been purged. The replica must be reinitialized.
> [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin -
> agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed
> and requires administrator action
> [10/Oct/2016:23:29:09 +0000] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed.
>
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
More information about the Freeipa-users
mailing list