Hi Florence,

On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users wrote:

On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote:

...

my IPA system consists of 2 masters (ipa1 and ipa2, both on FreeIPA 4.6.4) with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Both IPA servers are on domain level 1.

Problem: CS replication failed, probably months ago.

--- ipa1 --- $ ipa-csreplica-manage -v list ipa1.example.com

ipa2.example.com   last init status: None   last init ended: 1970-01-01 00:00:00+00:00   last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)   last update ended: 1970-01-01 00:00:00+00:00

-- $ ipa-csreplica-manage -v list ipa2.example.com

[no output]

Same on ipa2.

Probably related:

---

ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)

---

Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. However, these error messages could refer to ipa3.example.com, a master i deleted long (> 2 years) ago:

---

$ ipa-replica-manage list-ruv

Replica Update Vectors:         ipa2.example.com:389: 10         ipa1.example.com:389: 9 Certificate Server Replica Update Vectors:         ipa2.example.com:389: 11         ipa1.example.com:389: 91         ipa2.example.com:7389: 96         ipa3.example.com:7389: 97

---

How do i track this down and resolve the problem?

please find more information re. 389-ds troubleshooting: https://www.freeipa.org/page/Troubleshooting/Directory_Server

I checked for the common problems described in that page already, but to no avail. I did, however, successfully manage to remove replication references to ipa3 using "ipa-replica-manage clean-dangling-ruv":

--- $ ipa-replica-manage list-ruv Replica Update Vectors: ipa1.example.com:389: 9 ipa2.example.com:389: 10 Certificate Server Replica Update Vectors: ipa1.example.com:389: 91 ipa2.example.com:389: 11 ---

The error message

--- [06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) ---

on ipa1 is still in the logs. Additionally, while cleaning ruvs:

--- [06/Feb/2019:10:32:31.029394375 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat" (ipa2:7389) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () ---

The ldapsearch queries described in the above page can be carried out successfully on both servers:

--- [...] # search result search: 4 result: 0 Success

# numResponses: 2 # numEntries: 1 ---

Also, no DNS issues, wrong entries /etc/hosts, time differences or log messages related to SASL issues.

Maybe a wrong key or certificate somewhere?

Mit freundlichen Gruessen/With best regards,

--Daniel.

Hi.

have you tried to use "ipa-csreplica-manage re-initialize --from <replica1>" in replica1 ?

You could also re-init off line by using this article:

https://access.redhat.com/solutions/140483

only for ipaca backend.

regards,

German.

On Wed, Feb 6, 2019 at 11:31 AM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

Hi Florence,

On Wed, 6 Feb 2019, dbischof--- via FreeIPA-users wrote:

...

On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users wrote:

...

On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote:

...

my IPA system consists of 2 masters (ipa1 and ipa2, both on FreeIPA 4.6.4) with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Both IPA servers are on domain level 1.

Problem: CS replication failed, probably months ago.

--- ipa1 --- $ ipa-csreplica-manage -v list ipa1.example.com

ipa2.example.com last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica -

LDAP

...

...

...

error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00

-- $ ipa-csreplica-manage -v list ipa2.example.com

[no output]

Same on ipa2.

Probably related:

---

ERR - slapi_ldap_bind - Error: could not send startTLS request:

error -1

...

...

...

(Can't contact LDAP server) errno 107 (Transport endpoint is not connected)

---

Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. However,

these

...

...

...

error messages could refer to ipa3.example.com, a master i deleted

long

...

...

...

(> 2 years) ago:

---

$ ipa-replica-manage list-ruv

Replica Update Vectors: ipa2.example.com:389: 10 ipa1.example.com:389: 9 Certificate Server Replica Update Vectors: ipa2.example.com:389: 11 ipa1.example.com:389: 91 ipa2.example.com:7389: 96 ipa3.example.com:7389: 97

---

How do i track this down and resolve the problem?

please find more information re. 389-ds troubleshooting: https://www.freeipa.org/page/Troubleshooting/Directory_Server

I checked for the common problems described in that page already, but to no avail. I did, however, successfully manage to remove replication references to ipa3 using "ipa-replica-manage clean-dangling-ruv":

---

$ ipa-replica-manage list-ruv Replica Update Vectors: ipa1.example.com:389: 9 ipa2.example.com:389: 10 Certificate Server Replica Update Vectors: ipa1.example.com:389: 91 ipa2.example.com:389: 11

---

The error message

---

[06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)

---

on ipa1 is still in the logs. Additionally, while cleaning ruvs:

---

[06/Feb/2019:10:32:31.029394375 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat" (ipa2:7389) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()

---

The ldapsearch queries described in the above page can be carried out successfully on both servers:

---

[...] # search result search: 4 result: 0 Success

# numResponses: 2

# numEntries: 1

Also, no DNS issues, wrong entries /etc/hosts, time differences or log messages related to SASL issues.

Maybe a wrong key or certificate somewhere?

update: ipa-checkcerts.py shows

---

[...] Failures: ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304394 Unable to find request for serial 268304394 ipa: INFO: Unable to find request for serial 268304393 Unable to find request for serial 268304393 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN= ipa1.example.com,O=EXAMPLE.COM do not match for serial 57

---

So there is a certificate issue.

Mit freundlichen Gruessen/With best regards,

--Daniel. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi,

this is a bug in the product that might have been fixed already:

Connectivity: left-right

we cannot have these sort of connectivity.

In ipa02 there's no replication agreement to ipa01 (for ipaca database).

But as in ipa01 we see that the topology is showing "both" in the connectivity, I suggest to do export-import "off line" of the database. Then the topology subtree will be set in ipa02, exactly as in ipa01, and the topology plugin will create automatically the replication agreement that is missing now.

export from ipa01 the backend ipaca and re-import it in ipa02. Then, start the server and check if now it's showing "both" in connectivity at ipa02 side.

Best regards,

German.

PS: If you have a subscription, please create a support case.

On Wed, Feb 6, 2019 at 4:57 PM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

Hi German,

On Wed, 6 Feb 2019, German Parente via FreeIPA-users wrote:

...

have you tried to use "ipa-csreplica-manage re-initialize --from <replica1>" in replica1 ?

Thanks for your answer.

I already tried (on ipa2)

---

$ ipa-csreplica-manage re-initialize --from ipa1.example.com

which failed.

Interestingly enough, the error message is

---

unexpected error: Replication agreement for ipa1.example.com not found

And indeed:

---

$ ipa topologysegment-find ca

2 segments matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: left-right

---

Number of entries returned 2

---

The Web UI topology graph doesn't reflect this, btw.

Isn't the 2nd segment obsolete and probably causing my CS replication issues? Just remove it?

...

You could also re-init off line by using this article:

https://access.redhat.com/solutions/140483

only for ipaca backend.

On Wed, Feb 6, 2019 at 11:31 AM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

...

Hi Florence,

On Wed, 6 Feb 2019, dbischof--- via FreeIPA-users wrote:

...

On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users wrote:

...

On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote:

...

my IPA system consists of 2 masters (ipa1 and ipa2, both on FreeIPA 4.6.4) with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Both IPA servers are on domain level 1.

Problem: CS replication failed, probably months ago.

--- ipa1 --- $ ipa-csreplica-manage -v list ipa1.example.com

ipa2.example.com last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica -

LDAP

...

...

...

...

...

error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00

-- $ ipa-csreplica-manage -v list ipa2.example.com

[no output]

Same on ipa2.

Probably related:

---

ERR - slapi_ldap_bind - Error: could not send startTLS request:

error -1

...

...

...

...

...

(Can't contact LDAP server) errno 107 (Transport endpoint is not connected)

---

Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. However,

these

...

...

...

...

...

error messages could refer to ipa3.example.com, a master i

deleted long

...

...

...

...

...

(> 2 years) ago:

---

$ ipa-replica-manage list-ruv

Replica Update Vectors: ipa2.example.com:389: 10 ipa1.example.com:389: 9 Certificate Server Replica Update Vectors: ipa2.example.com:389: 11 ipa1.example.com:389: 91 ipa2.example.com:7389: 96 ipa3.example.com:7389: 97

---

How do i track this down and resolve the problem?

please find more information re. 389-ds troubleshooting: https://www.freeipa.org/page/Troubleshooting/Directory_Server

I checked for the common problems described in that page already, but

to

...

...

...

no avail. I did, however, successfully manage to remove replication references to ipa3 using "ipa-replica-manage clean-dangling-ruv":

---

$ ipa-replica-manage list-ruv Replica Update Vectors: ipa1.example.com:389: 9 ipa2.example.com:389: 10 Certificate Server Replica Update Vectors: ipa1.example.com:389: 91 ipa2.example.com:389: 11

---

The error message

---

[06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)

---

on ipa1 is still in the logs. Additionally, while cleaning ruvs:

---

[06/Feb/2019:10:32:31.029394375 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat" (ipa2:7389) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()

---

The ldapsearch queries described in the above page can be carried out successfully on both servers:

---

[...] # search result search: 4 result: 0 Success

# numResponses: 2

# numEntries: 1

Also, no DNS issues, wrong entries /etc/hosts, time differences or log messages related to SASL issues.

Maybe a wrong key or certificate somewhere?

update: ipa-checkcerts.py shows

---

[...] Failures: ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304394 Unable to find request for serial 268304394 ipa: INFO: Unable to find request for serial 268304393 Unable to find request for serial 268304393 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Subject O=EXAMPLE.COM,CN=ipa2.example.com and template

subject

...

...

CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN= ipa1.example.com,O=EXAMPLE.COM do not match for serial 57

---

So there is a certificate issue.

Mit freundlichen Gruessen/With best regards,

--Daniel. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi,

don't forget "-r" to export. If not, replication metadata will not be exported and after the import, the replicas will not be in sync.

best regards,

German.

On Thu, Feb 7, 2019 at 3:46 PM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

Hi German,

On Wed, 6 Feb 2019, German Parente via FreeIPA-users wrote:

...

this is a bug in the product that might have been fixed already:

Connectivity: left-right

we cannot have these sort of connectivity.

In ipa02 there's no replication agreement to ipa01 (for ipaca database).

But as in ipa01 we see that the topology is showing "both" in the connectivity, I suggest to do export-import "off line" of the database. Then the topology subtree will be set in ipa02, exactly as in ipa01, and the topology plugin will create automatically the replication agreement that is missing now.

export from ipa01 the backend ipaca and re-import it in ipa02. Then, start the server and check if now it's showing "both" in connectivity at ipa02 side.

thank you for your hints.

Unfortunately, I never did something like this before (and I can't access the article you cited below). According to the Directory Manager docs, it's probably something like

---

db2ldif.pl -Z EXAMPLE-COM -D "cn=Directory Manager" -w - -n ipaca -a /tmp/foo.dif

---

to export on running ipa1 and

---

ldif2db -Z EXAMPLE-COM -n ipaca -i /tmp/foo.dif

to import on ipa2 with IPA not running, right? Something else to be taken into account to not break something (these are production servers - my group is small but vigorous ;-)

...

On Wed, Feb 6, 2019 at 4:57 PM dbischof--- via FreeIPA-users <

freeipa-users@lists.fedorahosted.org> wrote:

...

...

On Wed, 6 Feb 2019, German Parente via FreeIPA-users wrote:

...

have you tried to use "ipa-csreplica-manage re-initialize --from <replica1>" in replica1 ?

Thanks for your answer.

I already tried (on ipa2)

---

$ ipa-csreplica-manage re-initialize --from ipa1.example.com

which failed.

Interestingly enough, the error message is

---

unexpected error: Replication agreement for ipa1.example.com not found

And indeed:

---

$ ipa topologysegment-find ca

2 segments matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: left-right

---

Number of entries returned 2

---

The Web UI topology graph doesn't reflect this, btw.

Isn't the 2nd segment obsolete and probably causing my CS replication issues? Just remove it?

...

You could also re-init off line by using this article:

https://access.redhat.com/solutions/140483

only for ipaca backend.

On Wed, Feb 6, 2019 at 11:31 AM dbischof--- via FreeIPA-users <

freeipa-users@lists.fedorahosted.org> wrote:

...

...

...

...

On Wed, 6 Feb 2019, dbischof--- via FreeIPA-users wrote:

...

On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users wrote:

> On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote: >> >> my IPA system consists of 2 masters (ipa1 and ipa2, both on >> FreeIPA 4.6.4) with their own self-signed CAs, one of them being >> the certificate renewal master (ipa1). The system has been >> running for years and has been migrated from an IPA 3 system. >> Both IPA servers are on domain level 1. >> >> Problem: CS replication failed, probably months ago. >> >> --- ipa1 --- >> $ ipa-csreplica-manage -v list ipa1.example.com >> >> ipa2.example.com >> last init status: None >> last init ended: 1970-01-01 00:00:00+00:00 >> last update status: Error (-1) Problem connecting to replica

• LDAP

...

...

...

...

...

>> error: Can't contact LDAP server (connection error) >> last update ended: 1970-01-01 00:00:00+00:00 >> >> -- >> $ ipa-csreplica-manage -v list ipa2.example.com >> >> [no output] >> ---- >> >> Same on ipa2. >> >> Probably related: >> >> --- >> ERR - slapi_ldap_bind - Error: could not send startTLS request: >> error -1 (Can't contact LDAP server) errno 107 (Transport >> endpoint is not connected) >> --- >> >> Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. >> However, these error messages could refer to ipa3.example.com, a >> master i deleted long (> 2 years) ago: >> >> --- >> $ ipa-replica-manage list-ruv >> >> Replica Update Vectors: >> ipa2.example.com:389: 10 >> ipa1.example.com:389: 9 >> Certificate Server Replica Update Vectors: >> ipa2.example.com:389: 11 >> ipa1.example.com:389: 91 >> ipa2.example.com:7389: 96 >> ipa3.example.com:7389: 97 >> --- >> >> How do i track this down and resolve the problem? >> >> > please find more information re. 389-ds troubleshooting: > https://www.freeipa.org/page/Troubleshooting/Directory_Server

I checked for the common problems described in that page already, but to no avail. I did, however, successfully manage to remove replication references to ipa3 using "ipa-replica-manage clean-dangling-ruv":

---

$ ipa-replica-manage list-ruv Replica Update Vectors: ipa1.example.com:389: 9 ipa2.example.com:389: 10 Certificate Server Replica Update Vectors: ipa1.example.com:389: 91 ipa2.example.com:389: 11

---

The error message

---

[06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)

---

on ipa1 is still in the logs. Additionally, while cleaning ruvs:

---

[06/Feb/2019:10:32:31.029394375 +0100] - ERR - NSMMReplicationPlugin

• bind_and_check_pwp -

agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat" (ipa2:7389) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()

---

The ldapsearch queries described in the above page can be carried out successfully on both servers:

---

[...] # search result search: 4 result: 0 Success

# numResponses: 2

# numEntries: 1

Also, no DNS issues, wrong entries /etc/hosts, time differences or log messages related to SASL issues.

Maybe a wrong key or certificate somewhere?

update: ipa-checkcerts.py shows

---

[...] Failures: ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304394 Unable to find request for serial 268304394 ipa: INFO: Unable to find request for serial 268304393 Unable to find request for serial 268304393 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN= ipa1.example.com,O=EXAMPLE.COM do not match for serial 57

---

So there is a certificate issue.

Mit freundlichen Gruessen/With best regards,

--Daniel. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi,

in fact, there's no sense to have "two segments" one from ipa1 <--> ipa2 and other ipa1 --> ipa2.

you should delete the segment that is showing "right-left" connectivity.

regards,

German.

On Mon, Feb 11, 2019 at 1:47 PM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

Hi German,

On Mon, 11 Feb 2019, German Parente via FreeIPA-users wrote:

...

don't forget "-r" to export. If not, replication metadata will not be exported and after the import, the replicas will not be in sync.

thank you for your hints.

Unfortunately, the replication/topology problem remains unsolved.

Here's what i did:

--- ipa1 (IPA running) db2ldif.pl -Z EXAMPLE-COM -D "cn=Directory Manager" -r -w - -n ipaca -a /tmp/foo.dif

---

Copied the file over to ipa2, then

--- ipa2 (IPA not running) ldif2db -Z EXAMPLE-COM -n ipaca -i foo.dif

---

Started IPA on ipa2, but still

---

$ ipa topologysegment-find ca

2 segments matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: left-right

---

Number of entries returned 2

In case there's nothing obvious and easy left to be tried out, I'd consider to uninstall IPA on ipa2, reinstall as client and promote ipa2 to master again as described in the docs.

...

On Thu, Feb 7, 2019 at 3:46 PM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

...

On Wed, 6 Feb 2019, German Parente via FreeIPA-users wrote:

...

this is a bug in the product that might have been fixed already:

Connectivity: left-right

we cannot have these sort of connectivity.

In ipa02 there's no replication agreement to ipa01 (for ipaca database).

But as in ipa01 we see that the topology is showing "both" in the connectivity, I suggest to do export-import "off line" of the database. Then the topology subtree will be set in ipa02, exactly as in ipa01, and the topology plugin will create automatically the replication agreement that is missing now.

export from ipa01 the backend ipaca and re-import it in ipa02. Then, start the server and check if now it's showing "both" in connectivity at ipa02 side.

thank you for your hints.

Unfortunately, I never did something like this before (and I can't access the article you cited below). According to the Directory Manager docs, it's probably something like

---

db2ldif.pl -Z EXAMPLE-COM -D "cn=Directory Manager" -w - -n ipaca -a

/tmp/foo.dif

...

...

---

to export on running ipa1 and

---

ldif2db -Z EXAMPLE-COM -n ipaca -i /tmp/foo.dif

to import on ipa2 with IPA not running, right? Something else to be

taken

...

...

into account to not break something (these are production servers - my group is small but vigorous ;-)

...

On Wed, Feb 6, 2019 at 4:57 PM dbischof--- via FreeIPA-users <

freeipa-users@lists.fedorahosted.org> wrote:

...

...

...

...

On Wed, 6 Feb 2019, German Parente via FreeIPA-users wrote:

...

have you tried to use "ipa-csreplica-manage re-initialize --from <replica1>" in replica1 ?

Thanks for your answer.

I already tried (on ipa2)

---

$ ipa-csreplica-manage re-initialize --from ipa1.example.com

which failed.

Interestingly enough, the error message is

---

unexpected error: Replication agreement for ipa1.example.com not

found

...

...

...

...

---

And indeed:

---

$ ipa topologysegment-find ca

2 segments matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: left-right

---

Number of entries returned 2

---

The Web UI topology graph doesn't reflect this, btw.

Isn't the 2nd segment obsolete and probably causing my CS replication issues? Just remove it?

...

You could also re-init off line by using this article:

https://access.redhat.com/solutions/140483

only for ipaca backend.

On Wed, Feb 6, 2019 at 11:31 AM dbischof--- via FreeIPA-users <

freeipa-users@lists.fedorahosted.org> wrote:

...

...

...

...

...

> On Wed, 6 Feb 2019, dbischof--- via FreeIPA-users wrote: > >> On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users wrote: >> >>> On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote: >>>> >>>> my IPA system consists of 2 masters (ipa1 and ipa2, both on >>>> FreeIPA 4.6.4) with their own self-signed CAs, one of them >>>> being the certificate renewal master (ipa1). The system has >>>> been running for years and has been migrated from an IPA 3 >>>> system. Both IPA servers are on domain level 1. >>>> >>>> Problem: CS replication failed, probably months ago. >>>> >>>> --- ipa1 --- >>>> $ ipa-csreplica-manage -v list ipa1.example.com >>>> >>>> ipa2.example.com >>>> last init status: None >>>> last init ended: 1970-01-01 00:00:00+00:00 >>>> last update status: Error (-1) Problem connecting to

replica - LDAP error: Can't contact LDAP server (connection error)

...

...

...

...

...

>>>> last update ended: 1970-01-01 00:00:00+00:00 >>>> >>>> -- >>>> $ ipa-csreplica-manage -v list ipa2.example.com >>>> >>>> [no output] >>>> ---- >>>> >>>> Same on ipa2. >>>> >>>> Probably related: >>>> >>>> --- >>>> ERR - slapi_ldap_bind - Error: could not send startTLS >>>> request: error -1 (Can't contact LDAP server) errno 107 >>>> (Transport endpoint is not connected) >>>> --- >>>> >>>> Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. >>>> However, these error messages could refer to ipa3.example.com, >>>> a master i deleted long (> 2 years) ago: >>>> >>>> --- >>>> $ ipa-replica-manage list-ruv >>>> >>>> Replica Update Vectors: >>>> ipa2.example.com:389: 10 >>>> ipa1.example.com:389: 9 >>>> Certificate Server Replica Update Vectors: >>>> ipa2.example.com:389: 11 >>>> ipa1.example.com:389: 91 >>>> ipa2.example.com:7389: 96 >>>> ipa3.example.com:7389: 97 >>>> --- >>>> >>>> How do i track this down and resolve the problem? >>>> >>>> >>> please find more information re. 389-ds troubleshooting: >>> https://www.freeipa.org/page/Troubleshooting/Directory_Server >> >> I checked for the common problems described in that page already, >> but to no avail. I did, however, successfully manage to remove >> replication references to ipa3 using "ipa-replica-manage >> clean-dangling-ruv": >> >> --- >> $ ipa-replica-manage list-ruv >> Replica Update Vectors: >> ipa1.example.com:389: 9 >> ipa2.example.com:389: 10 >> Certificate Server Replica Update Vectors: >> ipa1.example.com:389: 91 >> ipa2.example.com:389: 11 >> --- >> >> The error message >> >> --- >> [06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind - >> Error: could not send startTLS request: error -1 (Can't contact

LDAP

...

...

...

...

...

>> server) errno 107 (Transport endpoint is not connected) >> --- >> >> on ipa1 is still in the logs. Additionally, while cleaning ruvs: >> >> --- >> [06/Feb/2019:10:32:31.029394375 +0100] - ERR -

NSMMReplicationPlugin

...

...

...

...

...

>> - bind_and_check_pwp - >> agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat" (ipa2:7389) - >> Replication bind with SIMPLE auth failed: LDAP error -1 (Can't >> contact LDAP server) () >> --- >> >> The ldapsearch queries described in the above page can be carried >> out successfully on both servers: >> >> --- >> [...] >> # search result >> search: 4 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> --- >> >> Also, no DNS issues, wrong entries /etc/hosts, time differences or >> log messages related to SASL issues. >> >> Maybe a wrong key or certificate somewhere? > > update: ipa-checkcerts.py shows > > --- > [...] > Failures: > ipa: INFO: Unable to find request for serial 268304391 > Unable to find request for serial 268304391 > ipa: INFO: Unable to find request for serial 268304394 > Unable to find request for serial 268304394 > ipa: INFO: Unable to find request for serial 268304393 > Unable to find request for serial 268304393 > ipa: INFO: Unable to find request for serial 268304392 > Unable to find request for serial 268304392 > ipa: INFO: Subject O=EXAMPLE.COM,CN=ipa2.example.com and template > subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial

57

...

...

...

...

...

> Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN= > ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 > --- > > So there is a certificate issue.

Mit freundlichen Gruessen/With best regards,

--Daniel. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi,

well, there's still a possibility to remove it manually. it's rather easy.

ldapsearch -D "cn=directory manager" -W -b "cn=topology,cn=ipa,cn=etc,dc=example,dc=com"

that will show all the entries in the topology subtree. You will find the one with "left-right" or "right-left" connectivity.

Before deleting it, do this:

ldapmodify -D "cn=directory manager" -W << EOF dn: cn=IPA Topology Configuration,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off EOF

restart services.

Delete the wrong entry with "ldapdelete" command.

then, do this: ldapmodify -D "cn=directory manager" -W << EOF dn: cn=IPA Topology Configuration,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on EOF

restart services.

Check your segments again.

if you have a subscription, please open a support case, ask for my help and I will fix that in your machines in a remote session.

Regards,

German.

On Tue, Feb 12, 2019 at 9:17 AM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

Hi German,

On Mon, 11 Feb 2019, German Parente via FreeIPA-users wrote:

...

in fact, there's no sense to have "two segments" one from ipa1 <--> ipa2 and other ipa1 --> ipa2.

you should delete the segment that is showing "right-left" connectivity.

that doesn't work, i tried that already:

---

$ ipa topologysegment-del ca ipa1.example.com-to-ipa2.example.com ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology. Deletion not allowed.

---

Tried on both masters.

...

On Mon, Feb 11, 2019 at 1:47 PM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

...

On Mon, 11 Feb 2019, German Parente via FreeIPA-users wrote:

...

don't forget "-r" to export. If not, replication metadata will not be exported and after the import, the replicas will not be in sync.

thank you for your hints.

Unfortunately, the replication/topology problem remains unsolved.

Here's what i did:

--- ipa1 (IPA running) db2ldif.pl -Z EXAMPLE-COM -D "cn=Directory Manager" -r -w - -n ipaca -a /tmp/foo.dif

---

Copied the file over to ipa2, then

--- ipa2 (IPA not running) ldif2db -Z EXAMPLE-COM -n ipaca -i foo.dif

---

Started IPA on ipa2, but still

---

$ ipa topologysegment-find ca

2 segments matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: left-right

---

Number of entries returned 2

In case there's nothing obvious and easy left to be tried out, I'd consider to uninstall IPA on ipa2, reinstall as client and promote ipa2

to

...

...

master again as described in the docs.

...

On Thu, Feb 7, 2019 at 3:46 PM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

...

On Wed, 6 Feb 2019, German Parente via FreeIPA-users wrote:

...

this is a bug in the product that might have been fixed already:

Connectivity: left-right

we cannot have these sort of connectivity.

In ipa02 there's no replication agreement to ipa01 (for ipaca database).

But as in ipa01 we see that the topology is showing "both" in the connectivity, I suggest to do export-import "off line" of the database. Then the topology subtree will be set in ipa02, exactly as in ipa01, and the topology plugin will create automatically the replication agreement that is missing now.

export from ipa01 the backend ipaca and re-import it in ipa02. Then, start the server and check if now it's showing "both" in connectivity at ipa02 side.

thank you for your hints.

Unfortunately, I never did something like this before (and I can't access the article you cited below). According to the Directory

Manager

...

...

...

...

docs, it's probably something like

---

db2ldif.pl -Z EXAMPLE-COM -D "cn=Directory Manager" -w - -n ipaca -a

/tmp/foo.dif

...

...

...

...

---

to export on running ipa1 and

---

ldif2db -Z EXAMPLE-COM -n ipaca -i /tmp/foo.dif

to import on ipa2 with IPA not running, right? Something else to be taken into account to not break something (these are production servers - my group is small but vigorous ;-)

...

On Wed, Feb 6, 2019 at 4:57 PM dbischof--- via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:

> On Wed, 6 Feb 2019, German Parente via FreeIPA-users wrote: > >> have you tried to use "ipa-csreplica-manage re-initialize --from >> <replica1>" in replica1 ? > > Thanks for your answer. > > I already tried (on ipa2) > > --- > $ ipa-csreplica-manage re-initialize --from ipa1.example.com > --- > > which failed. > > Interestingly enough, the error message is > > --- > unexpected error: Replication agreement for ipa1.example.com > not found > --- > > And indeed: > > --- > $ ipa topologysegment-find ca > ------------------ > 2 segments matched > ------------------ > Segment name: ipa2.example.com-to-ipa1.example.com > Left node: ipa2.example.com > Right node: ipa1.example.com > Connectivity: both > > Segment name: ipa1.example.com-to-ipa2.example.com > Left node: ipa1.example.com > Right node: ipa2.example.com > Connectivity: left-right > ---------------------------- > Number of entries returned 2 > ---------------------------- > --- > > The Web UI topology graph doesn't reflect this, btw. > > Isn't the 2nd segment obsolete and probably causing my CS

replication

...

...

...

...

...

> issues? Just remove it? > >> You could also re-init off line by using this article: >> >> https://access.redhat.com/solutions/140483 >> >> only for ipaca backend. >> >> On Wed, Feb 6, 2019 at 11:31 AM dbischof--- via FreeIPA-users <

freeipa-users@lists.fedorahosted.org> wrote:

...

...

...

...

...

>> >>> On Wed, 6 Feb 2019, dbischof--- via FreeIPA-users wrote: >>> >>>> On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users

wrote:

...

...

...

...

...

>>>> >>>>> On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote: >>>>>> >>>>>> my IPA system consists of 2 masters (ipa1 and ipa2, both on >>>>>> FreeIPA 4.6.4) with their own self-signed CAs, one of them >>>>>> being the certificate renewal master (ipa1). The system has >>>>>> been running for years and has been migrated from an IPA 3 >>>>>> system. Both IPA servers are on domain level 1. >>>>>> >>>>>> Problem: CS replication failed, probably months ago. >>>>>> >>>>>> --- ipa1 --- >>>>>> $ ipa-csreplica-manage -v list ipa1.example.com >>>>>> >>>>>> ipa2.example.com >>>>>> last init status: None >>>>>> last init ended: 1970-01-01 00:00:00+00:00 >>>>>> last update status: Error (-1) Problem connecting to

replica - LDAP error: Can't contact LDAP server (connection error)

...

...

...

...

...

>>>>>> last update ended: 1970-01-01 00:00:00+00:00 >>>>>> >>>>>> -- >>>>>> $ ipa-csreplica-manage -v list ipa2.example.com >>>>>> >>>>>> [no output] >>>>>> ---- >>>>>> >>>>>> Same on ipa2. >>>>>> >>>>>> Probably related: >>>>>> >>>>>> --- >>>>>> ERR - slapi_ldap_bind - Error: could not send startTLS >>>>>> request: error -1 (Can't contact LDAP server) errno 107 >>>>>> (Transport endpoint is not connected) >>>>>> --- >>>>>> >>>>>> Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. >>>>>> However, these error messages could refer to

ipa3.example.com,

...

...

...

...

...

>>>>>> a master i deleted long (> 2 years) ago: >>>>>> >>>>>> --- >>>>>> $ ipa-replica-manage list-ruv >>>>>> >>>>>> Replica Update Vectors: >>>>>> ipa2.example.com:389: 10 >>>>>> ipa1.example.com:389: 9 >>>>>> Certificate Server Replica Update Vectors: >>>>>> ipa2.example.com:389: 11 >>>>>> ipa1.example.com:389: 91 >>>>>> ipa2.example.com:7389: 96 >>>>>> ipa3.example.com:7389: 97 >>>>>> --- >>>>>> >>>>>> How do i track this down and resolve the problem? >>>>>> >>>>>> >>>>> please find more information re. 389-ds troubleshooting: >>>>> https://www.freeipa.org/page/Troubleshooting/Directory_Server >>>> >>>> I checked for the common problems described in that page already, >>>> but to no avail. I did, however, successfully manage to remove >>>> replication references to ipa3 using "ipa-replica-manage >>>> clean-dangling-ruv": >>>> >>>> --- >>>> $ ipa-replica-manage list-ruv >>>> Replica Update Vectors: >>>> ipa1.example.com:389: 9 >>>> ipa2.example.com:389: 10 >>>> Certificate Server Replica Update Vectors: >>>> ipa1.example.com:389: 91 >>>> ipa2.example.com:389: 11 >>>> --- >>>> >>>> The error message >>>> >>>> --- >>>> [06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind - >>>> Error: could not send startTLS request: error -1 (Can't contact

LDAP

...

...

...

...

...

>>>> server) errno 107 (Transport endpoint is not connected) >>>> --- >>>> >>>> on ipa1 is still in the logs. Additionally, while cleaning ruvs: >>>> >>>> --- >>>> [06/Feb/2019:10:32:31.029394375 +0100] - ERR -

NSMMReplicationPlugin

...

...

...

...

...

>>>> - bind_and_check_pwp - >>>> agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat"

(ipa2:7389) -

...

...

...

...

...

>>>> Replication bind with SIMPLE auth failed: LDAP error -1 (Can't >>>> contact LDAP server) () >>>> --- >>>> >>>> The ldapsearch queries described in the above page can be carried >>>> out successfully on both servers: >>>> >>>> --- >>>> [...] >>>> # search result >>>> search: 4 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> --- >>>> >>>> Also, no DNS issues, wrong entries /etc/hosts, time differences

or

...

...

...

...

...

>>>> log messages related to SASL issues. >>>> >>>> Maybe a wrong key or certificate somewhere? >>> >>> update: ipa-checkcerts.py shows >>> >>> --- >>> [...] >>> Failures: >>> ipa: INFO: Unable to find request for serial 268304391 >>> Unable to find request for serial 268304391 >>> ipa: INFO: Unable to find request for serial 268304394 >>> Unable to find request for serial 268304394 >>> ipa: INFO: Unable to find request for serial 268304393 >>> Unable to find request for serial 268304393 >>> ipa: INFO: Unable to find request for serial 268304392 >>> Unable to find request for serial 268304392 >>> ipa: INFO: Subject O=EXAMPLE.COM,CN=ipa2.example.com and template >>> subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for

serial 57

...

...

...

...

...

>>> Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject

CN=

...

...

...

...

...

>>> ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 >>> --- >>> >>> So there is a certificate issue.

Mit freundlichen Gruessen/With best regards,

--Daniel. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi,

excellent ! We are almost there. Thanks to you for the hard work.

We should not have two segments with connectivity "both" for CA as you have already mentionned.

We should fix this just with the command line. If you delete the segment using:

ipa topologysegment-del ca <one of the segments>

this should work fine. If not, with my procedure it should work as well. Are you sure you are restarting the services after disabling the plugin ?

Thanks a lot.

German.

On Thu, Feb 14, 2019 at 11:36 AM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

Hi German,

On Tue, 12 Feb 2019, German Parente via FreeIPA-users wrote:

...

well, there's still a possibility to remove it manually. it's rather easy.

ldapsearch -D "cn=directory manager" -W -b "cn=topology,cn=ipa,cn=etc,dc=example,dc=com"

that will show all the entries in the topology subtree. You will find the one with "left-right" or "right-left" connectivity.

Before deleting it, do this:

ldapmodify -D "cn=directory manager" -W << EOF dn: cn=IPA Topology Configuration,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off EOF

restart services.

Delete the wrong entry with "ldapdelete" command.

then, do this: ldapmodify -D "cn=directory manager" -W << EOF dn: cn=IPA Topology Configuration,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on EOF

restart services.

Check your segments again.

if you have a subscription, please open a support case, ask for my help and I will fix that in your machines in a remote session.

thanks again for your hints. I guess, i'm out of the woods now:

---

$ ipa topologysegment-find domain

1 segment matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

---

Number of entries returned 1

$ ipa topologysegment-find ca

2 segments matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: both

---

Number of entries returned 2

$ ipa-replica-manage -v list ipa1.example.com ipa2.example.com: replica last init status: Error (0) Total update succeeded last init ended: 2019-01-11 20:02:40+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-02-14 09:05:01+00:00

$ ipa-replica-manage -v list ipa2.example.com ipa1.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-02-14 09:05:00+00:00

$ ipa-csreplica-manage -v list ipa1.example.com ipa2.example.com last init status: Error (0) Total update succeeded last init ended: 2019-02-13 13:43:48+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-02-14 09:02:30+00:00

$ ipa-csreplica-manage -v list ipa2.example.com ipa1.example.com last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-02-14 08:57:30+00:00

---

Identical output on both ipa1 and ipa2. In addition to your advice, I had to re-create segment ipa1.example.com-to-ipa2.example.com using topologysegment-add and I also did a

---

$ ipa-csreplica-manage re-initialize --from ipa1.example.com

on ipa2.

I tried to remove the ipa2.example.com-to-ipa1.example.com ca segment using your recipe, but that breaks things, I had to re-create it afterwards. Error messages in dirsrv logs gone.

It remains unclear to me, why removing the 2nd ca segment didn't work - so just to make sure: One "Connectivity: both"-segment for each domain and ca is sufficient (for my two-master-only-topology), right? Having 2 ca segments won't hurt?

Once again: Your help was invaluable.

...

On Tue, Feb 12, 2019 at 9:17 AM dbischof--- via FreeIPA-users <

freeipa-users@lists.fedorahosted.org> wrote:

...

...

On Mon, 11 Feb 2019, German Parente via FreeIPA-users wrote:

...

in fact, there's no sense to have "two segments" one from ipa1 <-->

ipa2

...

...

...

and other ipa1 --> ipa2.

you should delete the segment that is showing "right-left"

connectivity.

...

...

that doesn't work, i tried that already:

---

$ ipa topologysegment-del ca ipa1.example.com-to-ipa2.example.com ipa: ERROR: Server is unwilling to perform: Removal of Segment

disconnects

...

...

topology. Deletion not allowed.

Tried on both masters.

...

On Mon, Feb 11, 2019 at 1:47 PM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

...

On Mon, 11 Feb 2019, German Parente via FreeIPA-users wrote:

...

don't forget "-r" to export. If not, replication metadata will not be exported and after the import, the replicas will not be in sync.

thank you for your hints.

Unfortunately, the replication/topology problem remains unsolved.

Here's what i did:

--- ipa1 (IPA running) db2ldif.pl -Z EXAMPLE-COM -D "cn=Directory Manager" -r -w - -n ipaca

-a

...

...

...

...

/tmp/foo.dif

Copied the file over to ipa2, then

--- ipa2 (IPA not running) ldif2db -Z EXAMPLE-COM -n ipaca -i foo.dif

---

Started IPA on ipa2, but still

---

$ ipa topologysegment-find ca

2 segments matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: left-right

---

Number of entries returned 2

In case there's nothing obvious and easy left to be tried out, I'd consider to uninstall IPA on ipa2, reinstall as client and promote ipa2 to master again as described in the docs.

...

On Thu, Feb 7, 2019 at 3:46 PM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

> On Wed, 6 Feb 2019, German Parente via FreeIPA-users wrote: > >> this is a bug in the product that might have been fixed already: >> >> Connectivity: left-right >> >> we cannot have these sort of connectivity. >> >> In ipa02 there's no replication agreement to ipa01 (for ipaca >> database). >> >> But as in ipa01 we see that the topology is showing "both" in the >> connectivity, I suggest to do export-import "off line" of the >> database. Then the topology subtree will be set in ipa02, exactly

as

...

...

...

...

...

>> in ipa01, and the topology plugin will create automatically the >> replication agreement that is missing now. >> >> export from ipa01 the backend ipaca and re-import it in ipa02.

Then,

...

...

...

...

...

>> start the server and check if now it's showing "both" in

connectivity

...

...

...

...

...

>> at ipa02 side. > > thank you for your hints. > > Unfortunately, I never did something like this before (and I can't > access the article you cited below). According to the Directory > Manager docs, it's probably something like > > --- > db2ldif.pl -Z EXAMPLE-COM -D "cn=Directory Manager" -w - -n ipaca

-a /tmp/foo.dif

...

...

...

...

...

> --- > > to export on running ipa1 and > > --- > ldif2db -Z EXAMPLE-COM -n ipaca -i /tmp/foo.dif > --- > > to import on ipa2 with IPA not running, right? Something else to be > taken into account to not break something (these are production > servers - my group is small but vigorous ;-) > >> On Wed, Feb 6, 2019 at 4:57 PM dbischof--- via FreeIPA-users >> freeipa-users@lists.fedorahosted.org wrote: >> >>> On Wed, 6 Feb 2019, German Parente via FreeIPA-users wrote: >>> >>>> have you tried to use "ipa-csreplica-manage re-initialize --from >>>> <replica1>" in replica1 ? >>> >>> Thanks for your answer. >>> >>> I already tried (on ipa2) >>> >>> --- >>> $ ipa-csreplica-manage re-initialize --from ipa1.example.com >>> --- >>> >>> which failed. >>> >>> Interestingly enough, the error message is >>> >>> --- >>> unexpected error: Replication agreement for ipa1.example.com >>> not found >>> --- >>> >>> And indeed: >>> >>> --- >>> $ ipa topologysegment-find ca >>> ------------------ >>> 2 segments matched >>> ------------------ >>> Segment name: ipa2.example.com-to-ipa1.example.com >>> Left node: ipa2.example.com >>> Right node: ipa1.example.com >>> Connectivity: both >>> >>> Segment name: ipa1.example.com-to-ipa2.example.com >>> Left node: ipa1.example.com >>> Right node: ipa2.example.com >>> Connectivity: left-right >>> ---------------------------- >>> Number of entries returned 2 >>> ---------------------------- >>> --- >>> >>> The Web UI topology graph doesn't reflect this, btw. >>> >>> Isn't the 2nd segment obsolete and probably causing my CS >>> replication issues? Just remove it? >>> >>>> You could also re-init off line by using this article: >>>> >>>> https://access.redhat.com/solutions/140483 >>>> >>>> only for ipaca backend. >>>> >>>> On Wed, Feb 6, 2019 at 11:31 AM dbischof--- via FreeIPA-users <

freeipa-users@lists.fedorahosted.org> wrote:

...

...

...

...

...

>>>> >>>>> On Wed, 6 Feb 2019, dbischof--- via FreeIPA-users wrote: >>>>> >>>>>> On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users

wrote:

...

...

...

...

...

>>>>>> >>>>>>> On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote: >>>>>>>> >>>>>>>> my IPA system consists of 2 masters (ipa1 and ipa2, both on >>>>>>>> FreeIPA 4.6.4) with their own self-signed CAs, one of them >>>>>>>> being the certificate renewal master (ipa1). The system has >>>>>>>> been running for years and has been migrated from an IPA 3 >>>>>>>> system. Both IPA servers are on domain level 1. >>>>>>>> >>>>>>>> Problem: CS replication failed, probably months ago. >>>>>>>> >>>>>>>> --- ipa1 --- >>>>>>>> $ ipa-csreplica-manage -v list ipa1.example.com >>>>>>>> >>>>>>>> ipa2.example.com >>>>>>>> last init status: None >>>>>>>> last init ended: 1970-01-01 00:00:00+00:00 >>>>>>>> last update status: Error (-1) Problem connecting to

replica - LDAP error: Can't contact LDAP server (connection error)

...

...

...

...

...

>>>>>>>> last update ended: 1970-01-01 00:00:00+00:00 >>>>>>>> >>>>>>>> -- >>>>>>>> $ ipa-csreplica-manage -v list ipa2.example.com >>>>>>>> >>>>>>>> [no output] >>>>>>>> ---- >>>>>>>> >>>>>>>> Same on ipa2. >>>>>>>> >>>>>>>> Probably related: >>>>>>>> >>>>>>>> --- >>>>>>>> ERR - slapi_ldap_bind - Error: could not send startTLS >>>>>>>> request: error -1 (Can't contact LDAP server) errno 107 >>>>>>>> (Transport endpoint is not connected) >>>>>>>> --- >>>>>>>> >>>>>>>> Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. >>>>>>>> However, these error messages could refer to >>>>>>>> ipa3.example.com, a master i deleted long (> 2 years) ago: >>>>>>>> >>>>>>>> --- >>>>>>>> $ ipa-replica-manage list-ruv >>>>>>>> >>>>>>>> Replica Update Vectors: >>>>>>>> ipa2.example.com:389: 10 >>>>>>>> ipa1.example.com:389: 9 >>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>> ipa2.example.com:389: 11 >>>>>>>> ipa1.example.com:389: 91 >>>>>>>> ipa2.example.com:7389: 96 >>>>>>>> ipa3.example.com:7389: 97 >>>>>>>> --- >>>>>>>> >>>>>>>> How do i track this down and resolve the problem? >>>>>>>> >>>>>>>> >>>>>>> please find more information re. 389-ds troubleshooting: >>>>>>>

https://www.freeipa.org/page/Troubleshooting/Directory_Server

...

...

...

...

...

>>>>>> >>>>>> I checked for the common problems described in that page

already,

...

...

...

...

...

>>>>>> but to no avail. I did, however, successfully manage to remove >>>>>> replication references to ipa3 using "ipa-replica-manage >>>>>> clean-dangling-ruv": >>>>>> >>>>>> --- >>>>>> $ ipa-replica-manage list-ruv >>>>>> Replica Update Vectors: >>>>>> ipa1.example.com:389: 9 >>>>>> ipa2.example.com:389: 10 >>>>>> Certificate Server Replica Update Vectors: >>>>>> ipa1.example.com:389: 91 >>>>>> ipa2.example.com:389: 11 >>>>>> --- >>>>>> >>>>>> The error message >>>>>> >>>>>> --- >>>>>> [06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind

...

...

...

...

...

>>>>>> Error: could not send startTLS request: error -1 (Can't

contact LDAP

...

...

...

...

...

>>>>>> server) errno 107 (Transport endpoint is not connected) >>>>>> --- >>>>>> >>>>>> on ipa1 is still in the logs. Additionally, while cleaning

ruvs:

...

...

...

...

...

>>>>>> >>>>>> --- >>>>>> [06/Feb/2019:10:32:31.029394375 +0100] - ERR -

NSMMReplicationPlugin

...

...

...

...

...

>>>>>> - bind_and_check_pwp - >>>>>> agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat"

(ipa2:7389) -

...

...

...

...

...

>>>>>> Replication bind with SIMPLE auth failed: LDAP error -1 (Can't >>>>>> contact LDAP server) () >>>>>> --- >>>>>> >>>>>> The ldapsearch queries described in the above page can be

carried

...

...

...

...

...

>>>>>> out successfully on both servers: >>>>>> >>>>>> --- >>>>>> [...] >>>>>> # search result >>>>>> search: 4 >>>>>> result: 0 Success >>>>>> >>>>>> # numResponses: 2 >>>>>> # numEntries: 1 >>>>>> --- >>>>>> >>>>>> Also, no DNS issues, wrong entries /etc/hosts, time >>>>>> differences or log messages related to SASL issues. >>>>>> >>>>>> Maybe a wrong key or certificate somewhere? >>>>> >>>>> update: ipa-checkcerts.py shows >>>>> >>>>> --- >>>>> [...] >>>>> Failures: >>>>> ipa: INFO: Unable to find request for serial 268304391 >>>>> Unable to find request for serial 268304391 >>>>> ipa: INFO: Unable to find request for serial 268304394 >>>>> Unable to find request for serial 268304394 >>>>> ipa: INFO: Unable to find request for serial 268304393 >>>>> Unable to find request for serial 268304393 >>>>> ipa: INFO: Unable to find request for serial 268304392 >>>>> Unable to find request for serial 268304392 >>>>> ipa: INFO: Subject O=EXAMPLE.COM,CN=ipa2.example.com and

template

...

...

...

...

...

>>>>> subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for

serial 57

...

...

...

...

...

>>>>> Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject

CN=

...

...

...

...

...

>>>>> ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 >>>>> --- >>>>> >>>>> So there is a certificate issue.

Mit freundlichen Gruessen/With best regards,

--Daniel. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi,

excellent. Thanks to you for your patience.

Best regards,

German.

On Mon, Feb 18, 2019 at 10:49 AM dbischof--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

Hi German,

On Thu, 14 Feb 2019, German Parente via FreeIPA-users wrote:

...

excellent ! We are almost there. Thanks to you for the hard work.

We should not have two segments with connectivity "both" for CA as you have already mentionned.

We should fix this just with the command line. If you delete the segment using:

ipa topologysegment-del ca <one of the segments>

this should work fine. If not, with my procedure it should work as well. Are you sure you are restarting the services after disabling the plugin?

topologysegment-del didn't work ("server unwilling to perform"), but after temporarily disabling nsslapd-plugin on both masters and ldapdeleting the segment, i'm fine now, i guess:

---

$ ipa topologysegment-find domain

1 segment matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

---

Number of entries returned 1

$ ipa topologysegment-find ca

1 segment matched

Segment name: ipa2.example.com-to-ipa1.example.com Left node: ipa2.example.com Right node: ipa1.example.com Connectivity: both

---

Number of entries returned 1

$ ipa-replica-manage -v list ipa1.example.com ipa2.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-02-15 16:00:00+00:00

$ ipa-replica-manage -v list ipa2.example.com ipa1.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-02-15 16:00:38+00:00

$ ipa-csreplica-manage -v list ipa1.example.com ipa2.example.com last init status: Error (0) Total update succeeded last init ended: 2019-02-15 15:17:24+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-02-15 16:00:00+00:00

$ ipa-csreplica-manage -v list ipa2.example.com ipa1.example.com last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-02-15 16:00:00+00:00

$ ipa topologysuffix-verify domain

Replication topology of suffix "domain" is in order.

$ ipa topologysuffix-verify ca

Replication topology of suffix "ca" is in order.

---

Thanks again for your hints.

[...]

Mit freundlichen Gruessen/With best regards,

--Daniel. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi Rob,

On Wed, 6 Feb 2019, Rob Crittenden via FreeIPA-users wrote:

dbischof--- via FreeIPA-users wrote:

...

On Wed, 6 Feb 2019, dbischof--- via FreeIPA-users wrote:

...

On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users wrote:

...

On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote:

...

my IPA system consists of 2 masters (ipa1 and ipa2, both on FreeIPA   4.6.4) with their own self-signed CAs, one of them being the   certificate renewal master (ipa1). The system has been running for   years and has been migrated from an IPA 3 system. Both IPA servers   are on domain level 1.

Problem: CS replication failed, probably months ago.

--- ipa1 ---   $ ipa-csreplica-manage -v list ipa1.example.com

ipa2.example.com      last init status: None      last init ended: 1970-01-01 00:00:00+00:00      last update status: Error (-1) Problem connecting to replica - LDAP   error: Can't contact LDAP server (connection error)      last update ended: 1970-01-01 00:00:00+00:00

--   $ ipa-csreplica-manage -v list ipa2.example.com

[no output]   ----

Same on ipa2.

Probably related:

---   ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1   (Can't contact LDAP server) errno 107 (Transport endpoint is not   connected)   ---

Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. However, these   error messages could refer to ipa3.example.com, a master i deleted long   (>   2 years) ago:

---   $ ipa-replica-manage list-ruv

Replica Update Vectors:            ipa2.example.com:389: 10            ipa1.example.com:389: 9   Certificate Server Replica Update Vectors:            ipa2.example.com:389: 11            ipa1.example.com:389: 91            ipa2.example.com:7389: 96            ipa3.example.com:7389: 97   ---

How do i track this down and resolve the problem?

please find more information re. 389-ds troubleshooting:  https://www.freeipa.org/page/Troubleshooting/Directory_Server

I checked for the common problems described in that page already, but to no avail. I did, however, successfully manage to remove replication references to ipa3 using "ipa-replica-manage clean-dangling-ruv":

---

$ ipa-replica-manage list-ruv Replica Update Vectors:         ipa1.example.com:389: 9         ipa2.example.com:389: 10 Certificate Server Replica Update Vectors:         ipa1.example.com:389: 91         ipa2.example.com:389: 11

---

The error message

---

[06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)

---

on ipa1 is still in the logs. Additionally, while cleaning ruvs:

---

[06/Feb/2019:10:32:31.029394375 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat" (ipa2:7389) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()

---

The ldapsearch queries described in the above page can be carried out successfully on both servers:

---

[...] # search result search: 4 result: 0 Success

#  numResponses: 2

#  numEntries: 1

Also, no DNS issues, wrong entries /etc/hosts, time differences or log messages related to SASL issues.

Maybe a wrong key or certificate somewhere?

update: ipa-checkcerts.py shows

---

[...] Failures: ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304394 Unable to find request for serial 268304394 ipa: INFO: Unable to find request for serial 268304393 Unable to find request for serial 268304393 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57

---

So there is a certificate issue.

Maybe. I haven't gotten confirmation from the dogtag team that these types of "issues" are actually a problem.

What does ipa-replica-manage list -v `hostname` and ipa-csreplica-manage list -v `hostname` show?

ipa-replica-manage list -v `hostname` is ok on both machines (I fixed a problem with Florence's help a while ago) - shows

--- last update status: Error (0) Replica acquired successfully: Incremental update succeeded ---

ipa-csreplica-manage list -v `hostname` is not ok, please cf. above. No output for one host, "Can't contact LDAP server (connection error)" for the other (queried on both hosts).

If the issues reported by ipa-checkcerts.py may not indicate the root cause for my replication problem, the broken topology appears to be the more likley candidate, I guess (cf. other posts in this thread).

Mit freundlichen Gruessen/With best regards,

--Daniel.