Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
*Master error log:*
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
*Client ipareplica-install.log:*
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap:// usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
I think I detected the problem. The error log in the replica writes:
*[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.*
*[11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned* According this: ( https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/p... )
"When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
*Master error log:*
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
*Client ipareplica-install.log:*
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap:// usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
Hi everybody, any suggestions regarding this problem?
On Sun, Jun 11, 2017 at 1:49 PM, Adrian HY ayeja153@gmail.com wrote:
I think I detected the problem. The error log in the replica writes:
*[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.*
*[11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned* According this: (https://access.redhat.com/documentation/en-US/Red_Hat_ Directory_Server/8.2/pdf/Configuration_and_Command- Line_Tool_Reference/Red_Hat_Directory_Server-8.2- Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
"When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
*Master error log:*
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
*Client ipareplica-install.log:*
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap:// usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
Hey Adrian,
Not sure if it will resolve your problem, but have you tried to reinitialize the replica? You can run this on the replica: # ipa-replica-manage re-initialize --from=usuarios.ipa.server.com
I hope this help you. Cheers,
Givaldo Lins
De: "Adrian HY via FreeIPA-users" freeipa-users@lists.fedorahosted.org Para: freeipa-users@lists.fedorahosted.org Cc: "Adrian HY" ayeja153@gmail.com Enviadas: Segunda-feira, 12 de junho de 2017 9:05:03 Assunto: [Freeipa-users] Re: replication problem
Hi everybody, any suggestions regarding this problem?
On Sun, Jun 11, 2017 at 1:49 PM, Adrian HY < ayeja153@gmail.com > wrote:
I think I detected the problem. The error log in the replica writes: [11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit. [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned According this: ( https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/p... )
"When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY < ayeja153@gmail.com > wrote:
BQ_BEGIN
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase. The firewall and selinux are down and both servers are synchronized with the time. Centos 7.3 Freeipa 4.4.0-14
Master error log:
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
Client ipareplica-install.log:
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap:// usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap:// usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
BQ_END
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Givaldo, I tried to reinitialized the replica and I did not get results.
On Mon, Jun 12, 2017 at 12:28 PM, Givaldo Lins via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hey Adrian,
Not sure if it will resolve your problem, but have you tried to reinitialize the replica? You can run this on the replica: # ipa-replica-manage re-initialize --from= usuarios.ipa.server.com
I hope this help you. Cheers,
Givaldo Lins
*De: *"Adrian HY via FreeIPA-users" freeipa-users@lists.fedorahosted.org *Para: *freeipa-users@lists.fedorahosted.org *Cc: *"Adrian HY" ayeja153@gmail.com *Enviadas: *Segunda-feira, 12 de junho de 2017 9:05:03 *Assunto: *[Freeipa-users] Re: replication problem
Hi everybody, any suggestions regarding this problem?
On Sun, Jun 11, 2017 at 1:49 PM, Adrian HY ayeja153@gmail.com wrote:
I think I detected the problem. The error log in the replica writes: *[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.* [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned According this: (https://access.redhat.com/documentation/en-US/Red_Hat_ Directory_Server/8.2/pdf/Configuration_and_Command- Line_Tool_Reference/Red_Hat_Directory_Server-8.2- Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
"When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase. The firewall and selinux are down and both servers are synchronized with the time. Centos 7.3 Freeipa 4.4.0-14
*Master error log:*
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
*Client ipareplica-install.log:*
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap:// usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Could you inform OS, release, ipa-server version and domain level?
Cheers,
Givaldo Lins
De: "Adrian HY" ayeja153@gmail.com Para: "FreeIPA users list" freeipa-users@lists.fedorahosted.org Cc: "Givaldo Lins" givaldo@lins.pro.br Enviadas: Segunda-feira, 12 de junho de 2017 9:36:54 Assunto: Re: [Freeipa-users] Re: replication problem
Hi Givaldo, I tried to reinitialized the replica and I did not get results. On Mon, Jun 12, 2017 at 12:28 PM, Givaldo Lins via FreeIPA-users < freeipa-users@lists.fedorahosted.org > wrote:
Hey Adrian,
Not sure if it will resolve your problem, but have you tried to reinitialize the replica? You can run this on the replica: # ipa-replica-manage re-initialize --from= usuarios.ipa.server.com
I hope this help you. Cheers,
Givaldo Lins
De: "Adrian HY via FreeIPA-users" < freeipa-users@lists.fedorahosted.org > Para: freeipa-users@lists.fedorahosted.org Cc: "Adrian HY" < ayeja153@gmail.com > Enviadas: Segunda-feira, 12 de junho de 2017 9:05:03 Assunto: [Freeipa-users] Re: replication problem
Hi everybody, any suggestions regarding this problem?
On Sun, Jun 11, 2017 at 1:49 PM, Adrian HY < ayeja153@gmail.com > wrote:
BQ_BEGIN
I think I detected the problem. The error log in the replica writes: [11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit. [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned According this: ( https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/p... )
"When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY < ayeja153@gmail.com > wrote:
BQ_BEGIN
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase. The firewall and selinux are down and both servers are synchronized with the time. Centos 7.3 Freeipa 4.4.0-14
Master error log:
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com " (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
Client ipareplica-install.log:
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap:// usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap:// usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
BQ_END
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
BQ_END
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes:
*[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.*
[11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned
According this: (https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/p...)
"When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica:
# ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY <ayeja153@gmail.com mailto:ayeja153@gmail.com> wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase. The firewall and selinux are down and both servers are synchronized with the time. Centos 7.3 Freeipa 4.4.0-14 *Master error log:* 11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. *Client ipareplica-install.log:* 2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 <http://usuarios.ipa.server.com:389> from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://usuarios.ipa.server.com:389 <http://usuarios.ipa.server.com:389> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Mark, my problem is during the replica installation. I can't use ldapmodify because *cn=directory manager * does not have the password assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds mareynol@redhat.com wrote:
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes:
*[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.*
- [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned *
According this: (https://access.redhat.com/documentation/en-US/Red_Hat_ Directory_Server/8.2/pdf/Configuration_and_Command- Line_Tool_Reference/Red_Hat_Directory_Server-8.2- Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
"When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica:
# ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
*Master error log:*
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn= meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
*Client ipareplica-install.log:*
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap:// usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 06/13/2017 09:49 AM, Adrian HY wrote:
Hi Mark, my problem is during the replica installation. I can't use ldapmodify because *cn=directory manager * does not have the password assigned.
Did you remove the password from the config? There is always a password set during the install. Anyway, to reset it use this doc:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <mareynol@redhat.com mailto:mareynol@redhat.com> wrote:
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes: *[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.* * [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned * According this: (https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/pdf/Configuration_and_Command-Line_Tool_Reference/Red_Hat_Directory_Server-8.2-Configuration_and_Command-Line_Tool_Reference-en-US.pdf <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/pdf/Configuration_and_Command-Line_Tool_Reference/Red_Hat_Directory_Server-8.2-Configuration_and_Command-Line_Tool_Reference-en-US.pdf>) "When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary" The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica: # ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards. On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY <ayeja153@gmail.com <mailto:ayeja153@gmail.com>> wrote: Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase. The firewall and selinux are down and both servers are synchronized with the time. Centos 7.3 Freeipa 4.4.0-14 *Master error log:* 11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. *Client ipareplica-install.log:* 2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 <http://usuarios.ipa.server.com:389> from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://usuarios.ipa.server.com:389 <http://usuarios.ipa.server.com:389> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
If the problem occurs during the new installation of DS, you need to get a modification of the IPA install script, setting this parameter befor setting up replication. Otherwise there is a hack to modify the configuration template: /usr/share/dirsrv/data/template-dse.ldif
and add the nsslapd-maxsasliosize: YOUR_NEW_VALUE
line to the cn=config entry
On 06/13/2017 03:49 PM, Adrian HY via FreeIPA-users wrote:
Hi Mark, my problem is during the replica installation. I can't use ldapmodify because *cn=directory manager * does not have the password assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <mareynol@redhat.com mailto:mareynol@redhat.com> wrote:
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes: *[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.* * [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned * According this: (https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/pdf/Configuration_and_Command-Line_Tool_Reference/Red_Hat_Directory_Server-8.2-Configuration_and_Command-Line_Tool_Reference-en-US.pdf <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/pdf/Configuration_and_Command-Line_Tool_Reference/Red_Hat_Directory_Server-8.2-Configuration_and_Command-Line_Tool_Reference-en-US.pdf>) "When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary" The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica: # ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards. On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY <ayeja153@gmail.com <mailto:ayeja153@gmail.com>> wrote: Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase. The firewall and selinux are down and both servers are synchronized with the time. Centos 7.3 Freeipa 4.4.0-14 *Master error log:* 11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com <http://meTousuarios-replica.ipa.server.com>" (usuarios-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. *Client ipareplica-install.log:* 2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 <http://usuarios.ipa.server.com:389> from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://usuarios.ipa.server.com:389 <http://usuarios.ipa.server.com:389> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") _______________________________________________ FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Huh.. Well, who'da thunk it. I just literally reported the same kind of trouble I was having, which looks like it matches this same situation, with the ipa-replica-install failing to initiate replication because of Invalid password, because the password for some reason does not seem to be being set.
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 09:49:40 -0400 Subject: [Freeipa-users] Re: replication problem Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org, Adrian HY ayeja153@gmail.com To: Mark Reynolds mareynol@redhat.com Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org From: Adrian HY via FreeIPA-users <freeipa-users@lists.fedorahosted.org
Hi Mark, my problem is during the replica installation. I can't use ldapmodify because cn=directory manager does not have the password assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds mareynol@redhat.com wrote:
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes:
[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit. [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned
According this: (https://access.redhat.com/documentation/en-US/Red_ Hat_Directory_Server/8.2/pdf/Configuration_and_Command- Line_Tool_Reference/Red_Hat_Directory_Server-8.2- Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
"When an incoming SASL IO packet is larger than the nsslapd- maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica:
# ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
Master error log:
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
Client ipareplica-install.log:
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd- IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site- packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahos ted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted. org
On 06/13/2017 10:34 AM, Eric Renfro via FreeIPA-users wrote:
Huh.. Well, who'da thunk it. I just literally reported the same kind of trouble I was having, which looks like it matches this same situation, with the ipa-replica-install failing to initiate replication because of Invalid password, because the password for some reason does not seem to be being set.
Sorry, replication does not use the Directory Manager account. Typically some type of "replication manager" entry is used, and in IPA I'm pretty sure this account uses kerberos credentials (not a password).
Going back to the Directory Manager.... To confirm if the password is set, look in /etc/dirsv/slapd-INSTANCE/dse.ldif, and under cn=config look for "nsslapd-rootpw" if this attribute is missing then it truly is not set. If your directory manager account does not have a password, or there is a password but you don't know what it is, then you can reset it following this doc:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 09:49:40 -0400 Subject: [Freeipa-users] Re: replication problem Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org, Adrian HY ayeja153@gmail.com To: Mark Reynolds mareynol@redhat.com Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org From: Adrian HY via FreeIPA-users <freeipa-users@lists.fedorahosted.org Hi Mark, my problem is during the replica installation. I can't use ldapmodify because cn=directory manager does not have the password assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds mareynol@redhat.com wrote:
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes:
[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit. [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned
According this: (https://access.redhat.com/documentation/en-US/Red_ Hat_Directory_Server/8.2/pdf/Configuration_and_Command- Line_Tool_Reference/Red_Hat_Directory_Server-8.2- Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
"When an incoming SASL IO packet is larger than the nsslapd- maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica:
# ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
Master error log:
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
Client ipareplica-install.log:
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd- IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site- packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahos ted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted. org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hmmm..
Well, in my case specifically, the failed ipa-replica-install does in fact have the nsslapd-rootpw entry, however, changing this in a recovery process does no good during an ipa-replica-install.
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 10:51:13 -0400 Subject: [Freeipa-users] Re: replication problem Cc: Eric Renfro psi-jack@linux-help.org, Adrian HY <ayeja153@gmail.co m>, Mark Reynolds mareynol@redhat.com To: FreeIPA users list freeipa-users@lists.fedorahosted.org Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org From: Mark Reynolds via FreeIPA-users <freeipa-users@lists.fedorahosted .org>
On 06/13/2017 10:34 AM, Eric Renfro via FreeIPA-users wrote:
Huh.. Well, who'da thunk it. I just literally reported the same kind of trouble I was having, which looks like it matches this same situation, with the ipa-replica-install failing to initiate replication because of Invalid password, because the password for some reason does not seem to be being set.
Sorry, replication does not use the Directory Manager account. Typically some type of "replication manager" entry is used, and in IPA I'm pretty sure this account uses kerberos credentials (not a password).
Going back to the Directory Manager.... To confirm if the password is set, look in /etc/dirsv/slapd-INSTANCE/dse.ldif, and under cn=config look for "nsslapd-rootpw" if this attribute is missing then it truly is not set. If your directory manager account does not have a password, or there is a password but you don't know what it is, then you can reset it following this doc:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.h tml
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 09:49:40 -0400 Subject: [Freeipa-users] Re: replication problem Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org, Adrian HY ayeja153@gmail.com To: Mark Reynolds mareynol@redhat.com Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org From: Adrian HY via FreeIPA-users <freeipa-users@lists.fedorahosted.o rg
Hi Mark, my problem is during the replica installation. I can't use ldapmodify because cn=directory manager does not have the password assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds mareynol@redhat.com wrote:
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes:
[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit. [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned
According this: (https://access.redhat.com/documentation/en-US/Re d_ Hat_Directory_Server/8.2/pdf/Configuration_and_Command- Line_Tool_Reference/Red_Hat_Directory_Server-8.2- Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
"When an incoming SASL IO packet is larger than the nsslapd- maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica:
# ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
Master error log:
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
Client ipareplica-install.log:
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd- IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site- packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.or g To unsubscribe send an email to freeipa-users-leave@lists.fedorah os ted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d. org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted. org
Eric Renfro via FreeIPA-users wrote:
Hmmm..
Well, in my case specifically, the failed ipa-replica-install does in fact have the nsslapd-rootpw entry, however, changing this in a recovery process does no good during an ipa-replica-install.
I think this is a red herring. The client promotion code happened after my time but I seem to recall that some magic happens regarding the DM password so it isn't required during the install. I'm pretty sure that a random one is set by the installer during initial configuration and at the end it is replaced by the DM password in the master it is replicating from.
So in other words it is expected to not match for some of the installation.
rob
Eric
-----Original Message-----
*Date*: Tue, 13 Jun 2017 10:51:13 -0400 *Subject*: [Freeipa-users] Re: replication problem *Cc*: Eric Renfro <psi-jack@linux-help.org mailto:Eric%20Renfro%20%3cpsi-jack@linux-help.org%3e>, Adrian HY <ayeja153@gmail.com mailto:Adrian%20HY%20%3cayeja153@gmail.com%3e>, Mark Reynolds <mareynol@redhat.com mailto:Mark%20Reynolds%20%3cmareynol@redhat.com%3e> *To*: FreeIPA users list <freeipa-users@lists.fedorahosted.org mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted.org%3e> Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org *From*: Mark Reynolds via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:Mark%20Reynolds%20via%20FreeIPA-users%20%3cfreeipa-users@lists.fedorahosted.org%3e>
On 06/13/2017 10:34 AM, Eric Renfro via FreeIPA-users wrote:
Huh.. Well, who'da thunk it. I just literally reported the same kind of trouble I was having, which looks like it matches this same situation, with the ipa-replica-install failing to initiate replication because of Invalid password, because the password for some reason does not seem to be being set.
Sorry, replication does not use the Directory Manager account. Typically some type of "replication manager" entry is used, and in IPA I'm pretty sure this account uses kerberos credentials (not a password).
Going back to the Directory Manager.... To confirm if the password is set, look in /etc/dirsv/slapd-INSTANCE/dse.ldif, and under cn=config look for "nsslapd-rootpw" if this attribute is missing then it truly is not set. If your directory manager account does not have a password, or there is a password but you don't know what it is, then you can reset it following this doc:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 09:49:40 -0400 Subject: [Freeipa-users] Re: replication problem Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org, Adrian HY ayeja153@gmail.com To: Mark Reynolds mareynol@redhat.com Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org From: Adrian HY via FreeIPA-users <freeipa-users@lists.fedorahosted.org Hi Mark, my problem is during the replica installation. I can't use ldapmodify because cn=directory manager does not have the password assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds mareynol@redhat.com wrote:
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes:
[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit. [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned
According this: (https://access.redhat.com/documentation/en-US/Red_ Hat_Directory_Server/8.2/pdf/Configuration_and_Command- Line_Tool_Reference/Red_Hat_Directory_Server-8.2- Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
"When an incoming SASL IO packet is larger than the nsslapd- maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica:
# ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
Master error log:
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update failed for replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
Client ipareplica-install.log:
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd- IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site- packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahos ted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted. org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
In my particular case, I'm not using the client installation prior to the replica installation. Though I have tried that method as well, resulting in the very same issues regardless.
I'm using this to do the installation currently:
ipa-replica-install --unattended \ --no-ntp --mkhomedir --skip-conncheck \ --ip-address ip.ad.re.ss \ --principal admin \ --admin-password "redacted" \ --server ipa1.home.ld \ --domain home.ld \ --realm HOME.LD
I'm going to try once again with the client install (that part works), then promoting that to a replica, using kinit to gain admin privileges and thus omitting the principal, admin-password, domain and realm options to the replica-install command.
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 11:55:26 -0400 Subject: [Freeipa-users] Re: replication problem Cc: Eric Renfro psi-jack@linux-help.org, Mark Reynolds <mareynol@redh at.com>, Rob Crittenden rcritten@redhat.com To: FreeIPA users list freeipa-users@lists.fedorahosted.org Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahoste d.org> Eric Renfro via FreeIPA-users wrote:
Hmmm..
Well, in my case specifically, the failed ipa-replica-install does in fact have the nsslapd-rootpw entry, however, changing this in a recovery process does no good during an ipa-replica-install.
I think this is a red herring. The client promotion code happened after my time but I seem to recall that some magic happens regarding the DM password so it isn't required during the install. I'm pretty sure that a random one is set by the installer during initial configuration and at the end it is replaced by the DM password in the master it is replicating from.
So in other words it is expected to not match for some of the installation.
rob
Eric
-----Original Message-----
*Date*: Tue, 13 Jun 2017 10:51:13 -0400 *Subject*: [Freeipa-users] Re: replication problem *Cc*: Eric Renfro <psi-jack@linux-help.org mailto:Eric%20Renfro%20%3cpsi-jack@linux-help.org%3e>, Adrian HY <ayeja153@gmail.com mailto:Adrian%20HY%20%3cayeja153@gmail.com%3e>, Mark Reynolds <mareynol@redhat.com mailto:Mark%20Reynolds%20%3cmareynol@redhat.com%3e> *To*: FreeIPA users list <freeipa-users@lists.fedorahosted.org mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted. org%3e> Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org *From*: Mark Reynolds via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:Mark%20Reynolds%20via%20FreeIPA-users%20%3cfreeipa-users@list s.fedorahosted.org%3e>
On 06/13/2017 10:34 AM, Eric Renfro via FreeIPA-users wrote:
Huh.. Well, who'da thunk it. I just literally reported the same kind of trouble I was having, which looks like it matches this same situation, with the ipa-replica-install failing to initiate replication because of Invalid password, because the password for some reason does not seem to be being set.
Sorry, replication does not use the Directory Manager account. Typically some type of "replication manager" entry is used, and in IPA I'm pretty sure this account uses kerberos credentials (not a password).
Going back to the Directory Manager.... To confirm if the password is set, look in /etc/dirsv/slapd-INSTANCE/dse.ldif, and under cn=config look for "nsslapd-rootpw" if this attribute is missing then it truly is not set. If your directory manager account does not have a password, or there is a password but you don't know what it is, then you can reset it following this doc:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.htm l http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.ht ml
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 09:49:40 -0400 Subject: [Freeipa-users] Re: replication problem Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org, Adrian HY ayeja153@gmail.com To: Mark Reynolds mareynol@redhat.com Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org From: Adrian HY via FreeIPA-users <freeipa-users@lists.fedorahosted .org Hi Mark, my problem is during the replica installation. I can't use ldapmodify because cn=directory manager does not have the password assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <mareynol@redhat.com
wrote:
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes:
[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit. [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned
According this: (https://access.redhat.com/documentation/en-US/ Red_ Hat_Directory_Server/8.2/pdf/Configuration_and_Command- Line_Tool_Reference/Red_Hat_Directory_Server-8.2- Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
"When an incoming SASL IO packet is larger than the nsslapd- maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica:
# ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
Master error log:
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin
Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin
Beginning total update of replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin
Total update failed for replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
Client ipareplica-install.log:
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd- IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site- packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted. org To unsubscribe send an email to freeipa-users-leave@lists.fedor ahos ted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahos ted. org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahos ted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted. org
So, this problem is still causing me unable to install/build any replica servers.
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 12:11:57 -0400 Subject: Re: [Freeipa-users] Re: replication problem Cc: Mark Reynolds mareynol@redhat.com, Rob Crittenden <rcritten@redha t.com> To: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted. org> From: Eric Renfro psi-jack@linux-help.org In my particular case, I'm not using the client installation prior to the replica installation. Though I have tried that method as well, resulting in the very same issues regardless.
I'm using this to do the installation currently:
ipa-replica-install --unattended \ --no-ntp --mkhomedir --skip-conncheck \ --ip-address ip.ad.re.ss \ --principal admin \ --admin-password "redacted" \ --server ipa1.home.ld \ --domain home.ld \ --realm HOME.LD
I'm going to try once again with the client install (that part works), then promoting that to a replica, using kinit to gain admin privileges and thus omitting the principal, admin-password, domain and realm options to the replica-install command.
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 11:55:26 -0400 Subject: [Freeipa-users] Re: replication problem Cc: Eric Renfro psi-jack@linux-help.org, Mark Reynolds <mareynol@redh at.com>, Rob Crittenden rcritten@redhat.com To: FreeIPA users list freeipa-users@lists.fedorahosted.org Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahoste d.org> Eric Renfro via FreeIPA-users wrote:
Hmmm..
Well, in my case specifically, the failed ipa-replica-install does in fact have the nsslapd-rootpw entry, however, changing this in a recovery process does no good during an ipa-replica-install.
I think this is a red herring. The client promotion code happened after my time but I seem to recall that some magic happens regarding the DM password so it isn't required during the install. I'm pretty sure that a random one is set by the installer during initial configuration and at the end it is replaced by the DM password in the master it is replicating from.
So in other words it is expected to not match for some of the installation.
rob
Eric
-----Original Message-----
*Date*: Tue, 13 Jun 2017 10:51:13 -0400 *Subject*: [Freeipa-users] Re: replication problem *Cc*: Eric Renfro <psi-jack@linux-help.org mailto:Eric%20Renfro%20%3cpsi-jack@linux-help.org%3e>, Adrian HY <ayeja153@gmail.com mailto:Adrian%20HY%20%3cayeja153@gmail.com%3e>, Mark Reynolds <mareynol@redhat.com mailto:Mark%20Reynolds%20%3cmareynol@redhat.com%3e> *To*: FreeIPA users list <freeipa-users@lists.fedorahosted.org mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted. org%3e> Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org *From*: Mark Reynolds via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:Mark%20Reynolds%20via%20FreeIPA-users%20%3cfreeipa-users@list s.fedorahosted.org%3e>
On 06/13/2017 10:34 AM, Eric Renfro via FreeIPA-users wrote:
Huh.. Well, who'da thunk it. I just literally reported the same kind of trouble I was having, which looks like it matches this same situation, with the ipa-replica-install failing to initiate replication because of Invalid password, because the password for some reason does not seem to be being set.
Sorry, replication does not use the Directory Manager account. Typically some type of "replication manager" entry is used, and in IPA I'm pretty sure this account uses kerberos credentials (not a password).
Going back to the Directory Manager.... To confirm if the password is set, look in /etc/dirsv/slapd-INSTANCE/dse.ldif, and under cn=config look for "nsslapd-rootpw" if this attribute is missing then it truly is not set. If your directory manager account does not have a password, or there is a password but you don't know what it is, then you can reset it following this doc:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.htm l http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.ht ml
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 09:49:40 -0400 Subject: [Freeipa-users] Re: replication problem Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org, Adrian HY ayeja153@gmail.com To: Mark Reynolds mareynol@redhat.com Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org From: Adrian HY via FreeIPA-users <freeipa-users@lists.fedorahosted .org Hi Mark, my problem is during the replica installation. I can't use ldapmodify because cn=directory manager does not have the password assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <mareynol@redhat.com
wrote:
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
I think I detected the problem. The error log in the replica writes:
[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length exceeds maximum allowed limit (length=2483849, limit=2097152). Change the nsslapd-maxsasliosize attribute in cn=config to increase limit. [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned
According this: (https://access.redhat.com/documentation/en-US/ Red_ Hat_Directory_Server/8.2/pdf/Configuration_and_Command- Line_Tool_Reference/Red_Hat_Directory_Server-8.2- Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
"When an incoming SASL IO packet is larger than the nsslapd- maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary"
The problem now is how can I change the value of the attribute during replication.
You just use ldapmodify to change the value on each replica:
# ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-maxsasliosize nsslapd-maxsasliosize: YOUR_NEW_VALUE
Regards.
On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY ayeja153@gmail.com wrote:
Hi folks, I had a problem with replication and I tried to add the slave back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with the time.
Centos 7.3 Freeipa 4.4.0-14
Master error log:
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin
Warning: unable to acquire replica for total update, error: 49, retrying in 1 seconds. [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin
Beginning total update of replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)". [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Received error -1 (Can't contact LDAP server): for total updat e operation [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Warning: unable to send endReplication extended operation (Can' t contact LDAP server) [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin
Total update failed for replica "agmt="cn=meTousuarios- replica.ipa.server.com" (usuarios-replica:389)", error (-11) [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): Replication bind with GSSAPI auth resumed [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin
agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
Client ipareplica-install.log:
2017-06-11T05:24:24Z DEBUG stderr= 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd- IPA.SERVER.COM.socket from SchemaCache 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start replication 2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site- packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site- packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site- packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/dsinstance.py", line 416, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site- packages/ipaserver/install/replication.py", line 1643, in setup_promote_replication raise RuntimeError("Failed to start replication")
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted. org To unsubscribe send an email to freeipa-users-leave@lists.fedor ahos ted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahos ted. org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahos ted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted. org
freeipa-users@lists.fedorahosted.org