[Freeipa-users] Replica cannot be reinitialized after upgrade

Maciej Drobniuch md at collective-sense.com
Mon May 15 09:40:47 UTC 2017 

Hi Goran

Exact same issue here with the same troubleshooting steps taken(I've tried
to reinitialize the replicas with success msg) - no luck so far.

I've additionally have run ipa_check_consistency script:
FreeIPA servers:    ipa1      ipa2      ipa3    STATE
===================================================================
Active Users        37            37            37            OK
Stage Users         0             0             0             OK
Preserved Users     0             0             0             OK
User Groups         10            10            10            OK
Hosts               69            69            69            OK
Host Groups         7             7             7             OK
HBAC Rules          11            11            11            OK
SUDO Rules          1             1             1             OK
DNS Zones           8             8             8             OK
LDAP Conflicts      YES           YES           YES           FAIL
Ghost Replicas      NO            NO            NO            OK
Anonymous BIND      YES           YES           YES           OK
Replication Status  ipa2 18   ipa1 0    ipa1 0
                    ipa3 0
===================================================================

Besides of this the ipa master named-pkcs is sometimes crashing and ipa
fails to start.
I've rolled a backup from 1week ago and it's starting but I don't know how
long it will last.

IPA team please help.


# ipa --version
VERSION: 4.4.0, API_VERSION: 2.213

-- 
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC


On Thu, May 11, 2017 at 6:53 PM, Goran Marik <goranm at ecobee.com> wrote:

> Hi,
>
> After an upgrade to Centos 7.3.1611 with “yum update", we started seeing
> the following messages in the logs:
> “””
> May  9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479
> +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-
> inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000
> not found, we aren't as up to date, or we purged
> May  9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233
> +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-
> inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update
> replica has been purged from the changelog. The replica must be
> reinitialized.
> May  9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476
> +0000] agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat"
> (inf02:389) - Can't locate CSN 576b34e8000a050f0000 in the changelog (DB
> rc=-30988). If replication stops, the consumer may need to be reinitialized.
> May  9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689
> +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-
> inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000
> not found, we aren't as up to date, or we purged
> May  9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385
> +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-
> inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update
> replica has been purged from the changelog. The replica must be
> reinitialized.
> “””
>
> The log messages are pretty frequently, every few seconds, and report few
> different CSN numbers that cannot be located.
>
> This happens only on one replica out of 4. We’ve tried "ipa-replica-manage
> re-initialize —from” and “ipa-csreplica-manage re-initialize —from” several
> times, but while both commands report success, the log messages continue to
> happen. The server was rebooted and “systemctl restart ipa” was done few
> times as well.
>
> The replica seems to be working fine despite the errors, but I’m worried
> that the logs indicate underlaying problem we are not fully detecting. I
> would like to understand better what is triggering this behaviour and how
> to fix it, and if someone else saw them after a recent upgrades.
>
> The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and
> ipa-server-4.4.0-14.el7.centos.7.x86_64
>
> Thanks,
> Goran
>
> --
> Goran Marik
> Senior Systems Developer
>
> ecobee
> 250 University Ave, Suite 400
> Toronto, ON M5H 3E5
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170515/3721c0cb/attachment.htm>

More information about the Freeipa-users mailing list