Auerbach, Steven via FreeIPA-users wrote:
I am struggling through this. I have a new server built and IPA 4.6.4-10 installed. I made it a replica from the v3.0.0-51 master.
I can't tell the context in which these commands are being executed, on which master.
What I would do instead is on each master run:
# ipa-replica-manage list -v `hostname`
This should provide the topology you are looking for.
rob
Ipa-replica-manage shows 3 ipa servers, the original 2 v3.0.0-51 servers and the new ipa v4.6.4-10 server. But when I poll for replication agreements I get no answer.
From <server1> I issued the following commands:
$ sudo ipa-replica-manage list
Directory Manager password:
<server1>.mydomain.local: master
<server2>.mydomain.local: master
<server3 – new>.mydomain.local: master
$ sudo ipa-replica-manage list <server2>
[sudo] password for <user>:
Cannot find servername in public server list
$ sudo ipa-replica-manage list <server3>
[sudo] password for <user>:
Cannot find servername in public server list
$ ldapsearch -x -D 'cn=directory manager' -W -b 'cn=mapping tree,cn=config'
Enter LDAP Password:
There is an extensive response that includes:
# dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config
.
.
nsslapd-referral: ldap://<server3>.mydomain..local:389/dc%3Dmydomain%2Cdc%3Dlocal
nsslapd-referral: ldap://<server2>.mydomain.local:389/dc%3Dmydomain%2Cdc%3Dlocal
# replica, dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config
dn: cn=replica,cn=dc\3Dmydomain\2Cdc\3Dlocal,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=mydomain,dc=local
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 4
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: krbprincipalname=ldap/<invalid, removed server that should not even appear here>.mydomain.local@MYDOMAIN.LOCAL,cn=services,cn=accounts,dc=mydomain,dc=local
nsDS5ReplicaBindDN: krbprincipalname=ldap/<server2>.mydomain.local@MYDOMAIN.LOCAL,cn=services,cn=accounts,dc=mydomain,dc=local
nsDS5ReplicaBindDN: krbprincipalname=ldap/<server3>.mydomain.local@MYDOMAIN.LOCAL,cn=services,cn=accounts,dc=mydomain,dc=local
nsState:: BAAAAAAAAAA+CUNdAAAAAGEAAAAAAAAAkgAAAAAAAAAEAAAAAAAAAA==
nsDS5ReplicaName: a5641a0e-252711e3-96afcc83-6ff9b802
nsds5ReplicaChangeCount: 3768023
nsds5replicareapactive: 0
# meTo<server2>.mydomain.local, replica, dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config
dn: cn=meTo<server2>.mydomain.local,cn=replica,cn=dc\3Dmydomain\2Cdc\3Dlocal,cn=mapping tree,cn=config
cn: meTo<server2>.mydomain.local
objectClass: nsds5replicationagreement
objectClass: top
nsDS5ReplicaTransportInfo: LDAP
description: me to <server2>.mydomain.local
nsDS5ReplicaRoot: dc=mydomain,dc=local
nsDS5ReplicaHost: <server2>.mydomain.local
nsds5replicaTimeout: 120
nsDS5ReplicaPort: 389
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserialentryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 5241a52a000000040000
nsds50ruv: {replica 7 ldap://<server2>.mydomain.local:389} 54c80f57000000070000 5d271a1b000700070000
nsds50ruv: {replica 4 ldap://<server1>.mydomain.local:389} 5241a584000800040000 5d271866000300040000
nsds50ruv: {replica 8 ldap://<server3>.mydomain.local:389} 5d166840000000080000 5d270db6000500080000
nsruvReplicaLastModified: {replica 7 ldap://<server2>.mydomain.local:389} 00000000
nsruvReplicaLastModified: {replica 4 ldap://<server1>.mydomain.local:389} 00000000
nsruvReplicaLastModified: {replica 8 ldap://<server3>.mydomain.local:389} 00000000
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20190801154606Z
nsds5replicaLastUpdateEnd: 20190801154607Z
nsds5replicaChangesSentSinceStartup:: NDo2MDAvMjI1MjE1OSA4OjM1OS8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
# meTo<server3>.mydomain.local, replica, dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config
dn: cn=meTo<server3>.mydomain.local,cn=replica,cn=dc\3Dmydomain\2Cdc\3Dlocal,cn=mapping tree,cn=config
cn: meTo<server3>.mydomain.local
objectClass: nsds5replicationagreement
objectClass: top
nsDS5ReplicaTransportInfo: LDAP
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
nsDS5ReplicaRoot: dc=mydomain,dc=local
nsDS5ReplicaHost: <server3>.mydomain.local
nsds5replicaTimeout: 120
nsDS5ReplicaPort: 389
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserialentryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
description: me to <server3>.mydomain.local
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 5241a52a000000040000
nsds50ruv: {replica 8 ldap://<server3>.mydomain.local:389} 5d166840000000080000 5d271a1b000000080000
nsds50ruv: {replica 4 ldap://<server1>.mydomain.local:389} 5241a584000800040000 5d271866000300040000
nsds50ruv: {replica 7 ldap://<server2>.mydomain.local:389} 54c80f57000000070000 5d2717a3000300070000
nsruvReplicaLastModified: {replica 8 ldap://<server3>.mydomain.local:389} 00000000
nsruvReplicaLastModified: {replica 4 ldap://<server1>.mydomain.local:389} 00000000
nsruvReplicaLastModified: {replica 7 ldap://<server2>.mydomain.local:389} 00000000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20190801154606Z
nsds5replicaLastUpdateEnd: 20190801154607Z
nsds5replicaChangesSentSinceStartup:: NDo2MDAvMTkyNTgzNyA3OjUxMi8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
Are there no replication agreements between these servers or is there something missing in “public server list” that the agreements cannot be found?
I imagine that all parts need to be seeing each other properly at this point before I even begin to try and make <server3> the new ultimate master. I will then add a <server4> ipa server and replicate it from <server3> once it is the master and retire <server1> and <server2>. At least that is the scope of the project.
Steven Auerbach
Assistant Director of Information Systems
Information Technology & Security
State University System of Florida
Board of Governors
325 W. Gaines Street, Suite 1625
Tallahassee, Florida 32399
(850) 245-9592
Steven.auerbach@flbog.edu mailto:Steven.auerbach@flbog.edu | www.flbog.edu http://www.flbog.edu/
email_sig
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
From the master-master original IPA v3.0.0 server - <ipa1> - I ran and received the following responses: NOTE: using aliases within arrow points for ambiguation.
[<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa1>' [sudo] password for <user>: Cannot find <ipa1> in public server list
[<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa2>' Directory Manager password:
Cannot find <ipa2> in public server list
[<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa3>' Directory Manager password:
Cannot find <ipa3> in public server list
From the replica-master server recently made with IPA v4.6.5 - <ipa3> - I ran and received the following responses: NOTE: using aliases within arrow points for ambiguation.
[<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa1>' [sudo] password for <user>: Unknown host <ipa1>: Host '<ipa1>' does not have corresponding DNS A/AAAA record
[<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa2>' Directory Manager password:
Unknown host ipa-r02: Host 'ipa-r02' does not have corresponding DNS A/AAAA record
[<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa3>' Directory Manager password:
Unknown host ipa03: Host 'ipa03' does not have corresponding DNS A/AAAA record
Steven Auerbach Assistant Director of Information Systems Information Technology & Security State University System of Florida Board of Governors 325 W. Gaines Street, Suite 1625 Tallahassee, Florida 32399 (850) 245-9592 Steven.auerbach@flbog.edu
freeipa-users@lists.fedorahosted.org