[Freeipa-users] replicas removed, but incorrectly

Natxo Asenjo natxo.asenjo at gmail.com
Mon Sep 26 11:54:29 UTC 2016 

On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz <lkrispen at redhat.com>
wrote:

>
> On 09/26/2016 01:36 PM, Natxo Asenjo wrote:
>
> hi,
>
> I recently upgraded a centos 6.8 realm to centos 7.2 and it almost went
> correctly.
>
> Now I see some errors in /var/log/dirsrv/slapd-INSTANCENAME/errors
>
> 26/Sep/2016:13:20:15 +0200] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://kdc03.unix.iriszorg.nl:389/o%3Dipaca) failed
>
> and according to http://www.freeipa.org/page/Troubleshooting#Replication_
> issues this points to a ruv problem.
>
> So let's enumerate.
>
> We had kdc01 replicating to kdc02 (both 6.8).
>
> Then I created a replica from kdc01 to kdc03 (running 7.2).
>
> And from kdc03 to kdc04 (both 7.2).
>
> kdc01 and kdc02 are decommissioned, but kdc02 still shows in both kdc03
> and kdc04:
>
> $ ipa-replica-manage list
> kdc02.unix.iriszorg.nl: master
> kdc03.unix.iriszorg.nl: master
> kdc04.unix.iriszorg.nl: master
>
> and in
>
> $ ipa-csreplica-manage list
> Directory Manager password:
> kdc02.unix.iriszorg.nl: master
> kdc03.unix.iriszorg.nl: master
> kdc04.unix.iriszorg.nl: master
>
>
> >From kdc03:
> $ ldapsearch -Z -h kdc04.unix.iriszorg.nl -D "cn=Directory Manager" -W -b
> "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
> | grep "nsds50ruv\|nsDS5ReplicaId"
> Enter LDAP Password:
> nsDS5ReplicaId: 1095
> nsds50ruv: {replicageneration} 50c1015c000000600000
> nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389}
> 57e4d75a0000044700
> nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389}
> 57e23f66000000420000
> nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389}
> 50c1016c00000060000
> nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389}
> 57e140c7000000470000
> nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389}
> 50c1016800000061000
>
> and from kdc04:
>
> # ldapsearch -Z -h kdc04.unix.iriszorg.nl -D "cn=Directory Manager" -W -b
> "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
> | grep "nsds50ruv\|nsDS5ReplicaId"
> Enter LDAP Password:
> nsDS5ReplicaId: 1095
> nsds50ruv: {replicageneration} 50c1015c000000600000
> nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389}
> 57e4d75a0000044700
> nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389}
> 57e23f66000000420000
> nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389}
> 50c1016c00000060000
> nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389}
> 57e140c7000000470000
> nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389}
> 50c1016800000061000
>
>
> So now I have to run a clen ruv task like this (as seen in
> https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html):
>
> # ldapmodify -ZZ -D "cn=directory manager" -W -a
> dn: cn=clean 13, cn=cleanallruv, cn=tasks, cn=config
> objectclass: extensibleObject
> replica-base-dn: o=ipaca
> replica-id: 13
> cn: clean 13
>
>
> And in my example, the replica id would be 66, 96, 71 and 97, correct?
>
> no, I don't think so. you searched 2 times the same host "-h
> kdc04.unix.iriszorg.nl".
> you need to search on kdc03 to find the current replicaid of kdc03 and you
> have to keep it.
>


yes, you are right :(

 $ ldapsearch -Z -h kdc03.unix.iriszorg.nl -D "cn=Directory Manager" -W -b
"o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"
Enter LDAP Password:
nsDS5ReplicaId: 66
nsds50ruv: {replicageneration} 50c1015c000000600000
nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389}
57e23f66000000420000
nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389}
57e4d75a0000044700
nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389}
50c1016c00000060000
nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389}
57e140c7000000470000
nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389}
50c1016800000061000


so I need to keep 66 and 1095, and run the task on 96, 71 and 97, it would
seem.

Thanks for spotting my error.

-- 
regards,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160926/a2e89cbe/attachment.htm>

More information about the Freeipa-users mailing list