[Freeipa-users] IPA replica issue

Giorgio Biacchi giorgio at di.unimi.it
Mon Feb 6 17:28:36 UTC 2017 

On 02/06/2017 05:14 PM, Giorgio Biacchi wrote:
> On 02/06/2017 04:54 PM, Rob Crittenden wrote:
>> Giorgio Biacchi wrote:
>>> Hi list,
>>> I have this message in the logs:
>>>
>>> Feb  6 16:43:10 dc01 ns-slapd: [06/Feb/2017:16:43:10.157801305 +0100]
>>> NSMMReplicationPlugin -
>>> agmt="cn=masterAgreement1-dc02.myorg.local-pki-tomcat" (dc02:389): Data
>>> required to update replica has been purged from the changelog. The
>>> replica must be reinitialized.
>>>
>>> But ipa-replica-manage re-initialize --from dc02.myorg.local does not
>>> fix the problem. Even moving away the changelog directory didn't help..
>>>
>>> I'm running ipa-server-4.4.0-14.el7.centos.4.x86_64 and
>>> 389-ds-base-1.3.5.10-15.el7_3.x86_64, and setup is:
>>>
>>> #ipa-replica-manage list
>>> Directory Manager password:
>>>
>>> dc01.myorg.local: master
>>> dc02.myorg.local: master
>>>
>>> Can someone please tell me which is the correct sequence of actions to
>>> fix this issue?
>>
>> The error appears to be the CA replicated data (ref to tomcat in the
>> agreement) so you need to use ipa-csreplica-manage instead of
>> ipa-replica-manage.
>>
>> rob
>>
>
> Hi Rob,
> even ipa-csreplica-manage re-initialize --from dc02.myorg.local seems not to
> solve the issue, here's the logs after the command you suggested:
>
> Feb  6 17:12:06 dc01 ns-slapd: [06/Feb/2017:17:12:06.432485541 +0100]
> NSMMReplicationPlugin - changelog program - agmt="cn=meTodc02.myorg.local"
> (idc02:389): CSN 58989367000c00040000 not found, we aren't as up to date, or we
> purged
> Feb  6 17:12:06 dc01 ns-slapd: [06/Feb/2017:17:12:06.436444629 +0100]
> NSMMReplicationPlugin - agmt="cn=meTodc02.myorg.local" (dc02:389): Data required
> to update replica has been purged from the changelog. The replica must be
> reinitialized.
>
> Thanks for your kind attention

Hello again,
after a couple of re-initialization (ipa-csreplica-manage and 
ipa-replica-manage) and after systemctl restart ipa now the previuos error is 
gone and the replica is working in both directions.

Now I have a new error:

Feb  6 18:02:12 dc01 [sssd[ldap_child[10109]]]: Failed to initialize credentials 
using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check failed. Unable 
to create GSSAPI-encrypted LDAP connection.
Feb  6 18:02:12 dc01 [sssd[ldap_child[10109]]]: Decrypt integrity check failed

There's a way to fix this??

Thanks
-- 
gb

PGP Key: http://pgp.mit.edu/
Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34

More information about the Freeipa-users mailing list