<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz <span dir="ltr"><<a href="mailto:lkrispen@redhat.com" target="_blank">lkrispen@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><div><div class="gmail-h5">
<br>
<div>On 09/26/2016 01:36 PM, Natxo Asenjo
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>hi,<br>
<br>
</div>
I recently upgraded a centos 6.8 realm to centos
7.2 and it almost went correctly.<br>
<br>
</div>
Now I see some errors in
/var/log/dirsrv/slapd-<wbr>INSTANCENAME/errors<br>
<br>
26/Sep/2016:13:20:15 +0200] attrlist_replace -
attr_replace (nsslapd-referral, <a>ldap://</a><a href="http://kdc03.unix.iriszorg.nl:389/o%3Dipaca" target="_blank">kdc03.unix.iriszorg.nl:<wbr>389/o%3Dipaca</a>)
failed<br>
<br>
</div>
and according to <a href="http://www.freeipa.org/page/Troubleshooting#Replication_issues" target="_blank">http://www.freeipa.org/page/<wbr>Troubleshooting#Replication_<wbr>issues</a>
this points to a ruv problem.<br>
<br>
</div>
So let's enumerate.<br>
<br>
</div>
We had kdc01 replicating to kdc02 (both 6.8).<br>
<br>
</div>
Then I created a replica from kdc01 to kdc03 (running 7.2).
<br>
<br>
</div>
And from kdc03 to kdc04 (both 7.2).<br>
<br>
</div>
kdc01 and kdc02 are decommissioned, but kdc02 still shows in
both kdc03 and kdc04:<br clear="all">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
$ ipa-replica-manage list<br>
<a href="http://kdc02.unix.iriszorg.nl" target="_blank">kdc02.unix.iriszorg.nl</a>:
master<br>
<a href="http://kdc03.unix.iriszorg.nl" target="_blank">kdc03.unix.iriszorg.nl</a>:
master<br>
<a href="http://kdc04.unix.iriszorg.nl" target="_blank">kdc04.unix.iriszorg.nl</a>:
master<br>
<br>
</div>
<div>and in <br>
</div>
<div><br>
$ ipa-csreplica-manage list<br>
Directory Manager password: <br>
<a href="http://kdc02.unix.iriszorg.nl" target="_blank">kdc02.unix.iriszorg.nl</a>:
master<br>
<a href="http://kdc03.unix.iriszorg.nl" target="_blank">kdc03.unix.iriszorg.nl</a>:
master<br>
<a href="http://kdc04.unix.iriszorg.nl" target="_blank">kdc04.unix.iriszorg.nl</a>:
master<br>
<br>
<br>
</div>
<div>>From kdc03:<br>
$ ldapsearch -Z -h <a href="http://kdc04.unix.iriszorg.nl" target="_blank">kdc04.unix.iriszorg.nl</a>
-D "cn=Directory Manager" -W -b "o=ipaca"
"(&(objectclass=nstombstone)(<wbr>nsUniqueId=ffffffff-ffffffff-<wbr>ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"<br>
Enter LDAP Password: <br>
nsDS5ReplicaId: 1095<br>
nsds50ruv: {replicageneration}
50c1015c000000600000<br>
nsds50ruv: {replica 1095 <a>ldap://</a><a href="http://kdc04.unix.iriszorg.nl:389" target="_blank">kdc04.unix.iriszorg.nl:<wbr>389</a>}
57e4d75a0000044700<br>
nsds50ruv: {replica 66 <a>ldap://</a><a href="http://kdc03.unix.iriszorg.nl:389" target="_blank">kdc03.unix.iriszorg.nl:<wbr>389</a>}
57e23f66000000420000<br>
nsds50ruv: {replica 96 <a>ldap://</a><a href="http://kdc01.unix.iriszorg.nl:7389" target="_blank">kdc01.unix.iriszorg.nl:<wbr>7389</a>}
50c1016c00000060000<br>
nsds50ruv: {replica 71 <a>ldap://</a><a href="http://kdc03.unix.iriszorg.nl:389" target="_blank">kdc03.unix.iriszorg.nl:<wbr>389</a>}
57e140c7000000470000<br>
nsds50ruv: {replica 97 <a>ldap://</a><a href="http://kdc02.unix.iriszorg.nl:7389" target="_blank">kdc02.unix.iriszorg.nl:<wbr>7389</a>}
50c1016800000061000<br>
<br>
</div>
<div>and from kdc04:<br>
<br>
# ldapsearch -Z -h <a href="http://kdc04.unix.iriszorg.nl" target="_blank">kdc04.unix.iriszorg.nl</a>
-D "cn=Directory Manager" -W -b "o=ipaca"
"(&(objectclass=nstombstone)(<wbr>nsUniqueId=ffffffff-ffffffff-<wbr>ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"<br>
Enter LDAP Password: <br>
nsDS5ReplicaId: 1095<br>
nsds50ruv: {replicageneration}
50c1015c000000600000<br>
nsds50ruv: {replica 1095 <a>ldap://</a><a href="http://kdc04.unix.iriszorg.nl:389" target="_blank">kdc04.unix.iriszorg.nl:<wbr>389</a>}
57e4d75a0000044700<br>
nsds50ruv: {replica 66 <a>ldap://</a><a href="http://kdc03.unix.iriszorg.nl:389" target="_blank">kdc03.unix.iriszorg.nl:<wbr>389</a>}
57e23f66000000420000<br>
nsds50ruv: {replica 96 <a>ldap://</a><a href="http://kdc01.unix.iriszorg.nl:7389" target="_blank">kdc01.unix.iriszorg.nl:<wbr>7389</a>}
50c1016c00000060000<br>
nsds50ruv: {replica 71 <a>ldap://</a><a href="http://kdc03.unix.iriszorg.nl:389" target="_blank">kdc03.unix.iriszorg.nl:<wbr>389</a>}
57e140c7000000470000<br>
nsds50ruv: {replica 97 <a>ldap://</a><a href="http://kdc02.unix.iriszorg.nl:7389" target="_blank">kdc02.unix.iriszorg.nl:<wbr>7389</a>}
50c1016800000061000<br>
<br>
<br>
</div>
<div>So now I have to run a clen ruv task like
this (as seen in <a href="https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2016-<wbr>May/msg00043.html</a>):<br>
<br>
<pre># ldapmodify -ZZ -D "cn=directory manager" -W -a
dn: cn=clean 13, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: o=ipaca
replica-id: 13
cn: clean 13
</pre>
<pre>And in my example, the replica id would be 66, 96, 71 and 97, correct?
</pre>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div></div>
no, I don't think so. you searched 2 times the same host "-h <a href="http://kdc04.unix.iriszorg.nl" target="_blank">kdc04.unix.iriszorg.nl</a>".
<br>
you need to search on kdc03 to find the current replicaid of kdc03
and you have to keep it.<span class="gmail-"><br></span></div></blockquote><div><br><br></div><div bgcolor="#FFFFFF">yes, you are right :(<br><br> $ ldapsearch -Z -h <a href="http://kdc03.unix.iriszorg.nl">kdc03.unix.iriszorg.nl</a> -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId"<br>Enter LDAP Password: <br>nsDS5ReplicaId: 66<br>nsds50ruv: {replicageneration} 50c1015c000000600000<br>nsds50ruv: {replica 66 ldap://<a href="http://kdc03.unix.iriszorg.nl:389">kdc03.unix.iriszorg.nl:389</a>} 57e23f66000000420000<br>nsds50ruv: {replica 1095 ldap://<a href="http://kdc04.unix.iriszorg.nl:389">kdc04.unix.iriszorg.nl:389</a>} 57e4d75a0000044700<br>nsds50ruv: {replica 96 ldap://<a href="http://kdc01.unix.iriszorg.nl:7389">kdc01.unix.iriszorg.nl:7389</a>} 50c1016c00000060000<br>nsds50ruv: {replica 71 ldap://<a href="http://kdc03.unix.iriszorg.nl:389">kdc03.unix.iriszorg.nl:389</a>} 57e140c7000000470000<br>nsds50ruv: {replica 97 ldap://<a href="http://kdc02.unix.iriszorg.nl:7389">kdc02.unix.iriszorg.nl:7389</a>} 50c1016800000061000<br><br><span class="gmail-"><br></span></div><div bgcolor="#FFFFFF"><span class="gmail-">so I need to keep 66 and 1095, and run the task on 96, 71 and 97, it would seem.<br><br></span></div><div bgcolor="#FFFFFF"><span class="gmail-">Thanks for spotting my error.</span></div></div><br>-- <br></div><div class="gmail_extra">regards,<br></div><div class="gmail_extra">natxo<br></div></div>