[Freeipa-users] Replica Problem (Errors)

Mon Oct 24 07:53:21 UTC 2016

Hi,
On 10/23/2016 03:01 PM, Günther J. Niederwimmer wrote:
> Hello,
>
> I have added on my ipa (Master) Server this user and ACI with a ldif file
>
> ldapmodify -x -D 'cn=Directory Manager' -W
> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> changetype: add
> objectclass: account
> objectclass: simplesecurityobject
> uid: system
> userPassword: secret123
> passwordExpirationTime: 20380119031407Z
> nsIdleTimeout: 0
> <blank line>
> ^D
>
> dn: cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> add: aci
> aci: (targetattr="mailAlternateAddress")
> (targetfilter="(objectClass=mailrecipient)")
>    (version
>    3.0; acl "Allow system account to read mail address"; allow(read,
>    search, compare) userdn =
>    "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
>
> This Ends with a
> modifying entry "cn=users,cn=accounts,dc=example,dc=com"

these changes are not related to the errors you report below (I would be 
really surprised) and you only need to apply them on one server, that's 
what replication is good for.

There are a couple of different types of messages:
- failed to delete changelog record: this is from retro changelog 
trimming, when miscalculation of the starting point for trimming starts 
with changenumber lower than what's in the retro changelog.
In my experience this can happen after a crash/kill/reboot and should 
stop after som time

- attrlist_replace errors: looks like you have recreated a replica on a 
machine and not cleaned the RUV, please see: 
http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records

- keep-alive already exists: this is also an indication of a new 
replica, the keep alive entry was in the database, but the supplier 
tries to send it again, this should also disappear once some real 
changes from replica 4 are replicated
>
> but now I have on the changed master this 100... Errors
>
> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 396504 (rc: 32)
> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 396505 (rc: 32)
> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 396506 (rc: 32)
> [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep alive
> entry <cn=repl keep alive 4,dc=example,dc=com> already exists
> [23/Oct/2016:13:38:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:13:38:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:13:38:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:13:39:20 +0200] NSMMReplicationPlugin -
> agmt="cn=meToipa1.example.com" (ipa1:389): Warning: Attempting to release
> replica, but unable to receive endReplication extended operation response from
> the replica. Error -1 (Can't contact LDAP server)
> [23/Oct/2016:13:39:23 +0200] NSMMReplicationPlugin -
> agmt="cn=meToipa1.example.com" (ipa1:389): Replication bind with GSSAPI auth
> resumed
> [23/Oct/2016:13:53:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:13:53:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:13:53:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:14:04:24 +0200] NSMMReplicationPlugin - replication keep alive
> entry <cn=repl keep alive 4,dc=example,dc=com> already exists
> [23/Oct/2016:14:08:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:14:08:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:14:08:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:14:23:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:14:23:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:14:23:57 +0200] attrlist_replace - attr_replace (nsslapd-
> referral, ldap://ipa1.example.com:389/o%3Dipaca) failed.
> [23/Oct/2016:14:30:23 +0200] NSMMReplicationPlugin - replication keep alive
> entry <cn=repl keep alive 4,dc=example,dc=com> already exists
>
>
> and on the replica (Master) this  1000....Errors
>
> [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 240846 (rc: 32)
> [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 240847 (rc: 32)
> [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 240848 (rc: 32)
> [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 240849 (rc: 32)
> [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 240850 (rc: 32)
> [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 240851 (rc: 32)
> [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 240852 (rc: 32)
> [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not
> delete change record 240853 (rc: 32)
>
> What is wrong with my changes, or have I to add my changes also on the
> Replicas ?
>
> Thanks for a answer,
>

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander