[Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error

Chris Dagdigian dag at sonsorol.org
Thu May 4 12:23:19 UTC 2017 

Standa Laznicka wrote:
> You can, but you probably won't be able to install a CA replica on 
> them (you have to leave out the --setup-ca option). In the meantime, 
> you can create replicas without CA replication and when the Dogtag/DS 
> guys solve the problem, you can run ipa-ca-install on those to setup 
> CA replication there as well. 

Appreciate the attention this is getting!

My testing from yesterday shows that all replication is broken for me 
due to this 'replication manager' user not existing in LDAP so I may be 
hit by something in addition to the dogtag issue

I have two  servers that are out of sync with each other

  - Manual force update fails
  - Manual re-initialization fails
  - Installing a new IPA server without CA-service claims to work but no 
actual updates transfer

As far as I can tell all of the failures are due to an LDAP access issue 
where the logs talk about a replication-agreement-specific LDAP user not 
existing.

Example From Replica:

# ipa-replica-manage -v re-initialize --from usaeilidmp001.redactedidm.org
ipa: INFO: Setting agreement 
cn=meTousaeilidmp002.redactedidm.org,cn=replica,cn=dc\=redactedidm\,dc\=org,cn=mapping 
tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement 
cn=meTousaeilidmp002.redactedidm.org,cn=replica,cn=dc\=redactedidm\,dc\=org,cn=mapping 
tree,cn=config
Update in progress, 14 seconds elapsed

# [usaeilidmp001.redactedidm.org] reports: Update failed! Status: [-2  - 
LDAP error: Local error]



dirsirv error logs from Master:

04/May/2017:12:20:08.531621754 +0000] slapi_ldap_bind - Error: could not 
bind id [cn=Replication Manager 
cloneAgreement1-usaeilidmp002.redactedidm.org-pki-tomcat,ou=csusers,cn=config] 
authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 
(Success)
[04/May/2017:12:20:10.071619724 +0000] slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager 
cloneAgreement1-deawilidmp001.redactedidm.org-pki-tomcat,ou=csusers,cn=config] 
authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 
(Success)
[04/May/2017:12:20:11.074340742 +0000] set_krb5_creds - Could not get 
initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@] 
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not 
found)
[04/May/2017:12:20:35.078730934 +0000] set_krb5_creds - Could not get 
initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@] 
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not 
found)
[04/May/2017:12:21:23.083737475 +0000] set_krb5_creds - Could not get 
initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@] 
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not 
found)





Regards,
Chris

More information about the Freeipa-users mailing list