[Freeipa-users] Replication broken

Timothy Geier tgeier at accertify.com
Mon Sep 26 21:07:25 UTC 2016 

> On Sep 26, 2016, at 2:17 PM, Timothy Geier <tgeier at accertify.com> wrote:
> 
> This issue started when trying to remove a user; ipa user-del showed “operation failed” and the user was not removed.  The same ipa user-del command was performed on a replica and completed successfully, but it was then immediately apparent that this change did not replicate anywhere else.  All of the replicas then were re-initalized using "ipa-replica-manage re-initialize” and now the LDAP trees/users are consistent though no further changes have been made.
> 
> The slapd error logs are showing repeated instances of
> 
> DSRetroclPlugin - replog: an error occured while adding change number 112697, dn = changenumber=112697,cn=changelog: Already exists.
> retrocl-plugin - retrocl_postob: operation failure [68]
> 
> Package versions are
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
> and 
> 389-ds-base-1.3.4.0-29.el7_2.x86_64
> 
> ipa-replica-manage list-ruv
> ipa: WARNING: session memcached servers not running
> unable to decode: {replica 11} 56044ef50000000b0000 56044ef50000000b0000
> unable to decode: {replica 7} 561f17ba000800070000 561f17ba000800070000
> unable to decode: {replica 5} 561f17bc000300050000 561f17bc000300050000
> unable to decode: {replica 9} 561f17ba000a00090000 561f17ba000a00090000
> unable to decode: {replica 4} 561f17ba000300040000 561f17ba000300040000 
> (These are likely leftovers from the previous incarnation of these servers on a RHEL6-like setup)
> ipa07:389: 16
> ipa02:389: 13
> ipa03:389: 14
> ipa01:389: 12
> ipa04:389: 15
> ipa05:389: 17
> 
> Thanks much,

After not taking any action, this error has stopped but has been replaced with

[26/Sep/2016:15:54:54 -0500] NSMMReplicationPlugin - agmt="cn=meToipa03" (ipa03:389): Missing data encountered
[26/Sep/2016:15:54:54 -0500] NSMMReplicationPlugin - agmt="cn=meToipa03" (ipa03:389): Incremental update failed and requires administrator action

for all of the replicas and things are slightly out of sync everywhere.  

Is the best course of action here to declare one a new master and do a ipa-replica-manage re-initialize to all of the others from that one?


"This message and any attachments may contain confidential information. If you
have received this  message in error, any use or distribution is prohibited. 
Please notify us by reply e-mail if you have mistakenly received this message,
and immediately and permanently delete it and any attachments. Thank you."

More information about the Freeipa-users mailing list