New subject: OTP sudo prompts

21 Mar 2018


      I need some help with this.  I am working with FreeIPA runnning on CentOS 7.4 verssion 4.5.0-22.  I have 2 servers in my AWS VPC and 2 servers at my local office.  
For some reason I am not seeing replication happen (over ldaps?) from 1 server in my local office to the two servers up there.
AWS servers:
[centos@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:30:31+00:00[centos@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00freeipa04.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00[centos@freeipa03 ~]$
[root@freeipa04 log]# ipa-replica-manage list -v freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00freeipa04.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00[root@freeipa04 log]# ipa-replica-manage list -v freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:30:31+00:00[root@freeipa04 log]#
Local office:server 1
[gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v freeipa04.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 13:24:41+00:00freeipa03.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 13:24:32+00:00freeipa03.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v freeipa03.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 13:30:53+00:00freeipa03.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 13:30:53+00:00freeipa04.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa01 ~]$
[gatewayblend@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa04.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:08:00+00:00freeipa03.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:07:54+00:00freeipa03.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa03 ~]$ sudo vim /etc/resolv.conf[gatewayblend@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa03.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:40:35+00:00freeipa03.stl1.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) Replica acquired successfully: Incremental update succeeded  last update ended: 2018-03-21 02:40:35+00:00freeipa04.east.gatewayblend.net: replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)  last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa03 ~]$
The topologysegment shows we have 2-way connectivity all the way around:[root@freeipa04 log]# ipa topologysegment-find --allSuffix name: domain------------------6 segments matched------------------  dn: cn=freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net  Segment name: freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net  Left node: freeipa01.stl1.gatewayblend.net  Right node: freeipa03.stl1.gatewayblend.net  Connectivity: both  iparepltoposegmentstatus: autogen  objectclass: iparepltoposegment, top
  dn: cn=freeipa01.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net  Segment name: freeipa01.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net  Left node: freeipa01.stl1.gatewayblend.net  Right node: freeipa04.east.gatewayblend.net  Connectivity: both  objectclass: iparepltoposegment, top
  dn: cn=freeipa03.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net  Segment name: freeipa03.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net  Left node: freeipa03.east.gatewayblend.net  Right node: freeipa01.stl1.gatewayblend.net  Connectivity: both  objectclass: iparepltoposegment, top
  dn: cn=freeipa03.east.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net  Segment name: freeipa03.east.gatewayblend.net-to-freeipa04.east.gatewayblend.net  Left node: freeipa03.east.gatewayblend.net  Right node: freeipa04.east.gatewayblend.net  Connectivity: both  iparepltoposegmentstatus: autogen  objectclass: iparepltoposegment, top
  dn: cn=freeipa03.stl1.gatewayblend.net-to-freeipa03.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net  Segment name: freeipa03.stl1.gatewayblend.net-to-freeipa03.east.gatewayblend.net  Left node: freeipa03.stl1.gatewayblend.net  Right node: freeipa03.east.gatewayblend.net  Connectivity: both  objectclass: iparepltoposegment, top
  dn: cn=freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net  Segment name: freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net  Left node: freeipa03.stl1.gatewayblend.net  Right node: freeipa04.east.gatewayblend.net  Connectivity: both  objectclass: iparepltoposegment, top----------------------------Number of entries returned 6----------------------------[root@freeipa04 log]#
When I add a user everything gets sync'ed.  When I add a DNS entry its gets sync'ed all the way around.  
Is the error i'm getting a false positive?  It seems like it is.
This is the error I'm getting in /var/log/messages.  However I think this pertains to DNSSEC and can be ignored, correct?
Mar 21 13:35:25 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:35:25 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:35:25 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 21 13:36:25 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 21 13:36:25 freeipa01 systemd: Started IPA key daemon.Mar 21 13:36:25 freeipa01 systemd: Starting IPA key daemon...Mar 21 13:36:28 freeipa01 ipa-dnskeysyncd: ipa         : INFO     LDAP bind...Mar 21 13:36:28 freeipa01 ipa-dnskeysyncd: ipa         : INFO     Commencing sync processMar 21 13:36:29 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO     Initial LDAP dump is done, sychronizing with ODS and BINDMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 21 13:36:33 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:36:33 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:36:33 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 21 13:37:33 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 21 13:37:33 freeipa01 systemd: Started IPA key daemon.Mar 21 13:37:33 freeipa01 systemd: Starting IPA key daemon...Mar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa         : INFO     LDAP bind...Mar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa         : INFO     Commencing sync processMar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO     Initial LDAP dump is done, sychronizing with ODS and BINDMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 21 13:37:40 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:37:40 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:37:40 freeipa01 systemd: ipa-dnskeysyncd.service failed.[gatewayblend@freeipa01 ~]$
I'm not sure what the issue is.
Any help is appreciated.
Thank you,Andrew Meyer

replica unable to communicate