On 1/17/20 4:32 PM, Damien Bras via FreeIPA-users wrote:
Hi,
During the installation of one of our FreeIPA replica (with ipa-replica-install), the process hangs on "No status yet".
Our domain is in domain level 1.
It seems that the script is waiting for an attribute nsds5ReplicaLastInitStatus.
The master server is up & running and we want to have a multimaster environment.
We don't find any error related to the replication process in the log.
The version installed: 4.6.5-11.0.1.el7_7.3
First, the ipa client is correctly installed on the server. Then we use the comment ipa-replica-install to promote it as IPA server with:
ipa-replica-install -U --principal admin --admin-password $admin_password --domain domain.com --server server2.domain.com --setup-ca --setup-dns --no-forwarders --forward-policy=first --no-dnssec-validation --allow-zone-overlap --reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join
In the ipareplica-install.log we just have this:
…
2020-01-17T10:25:46Z DEBUG [28/41]: setting up initial replication
2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248>
2020-01-17T10:25:47Z DEBUG Destroyed connection context.ldap2_139829518113296
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload
2020-01-17T10:25:47Z DEBUG Process finished, return code=0
2020-01-17T10:25:47Z DEBUG stdout=
2020-01-17T10:25:47Z DEBUG stderr=
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart dirsrv@DOMAIN-COM.service
2020-01-17T10:25:53Z DEBUG Process finished, return code=0
2020-01-17T10:25:53Z DEBUG stdout=
2020-01-17T10:25:53Z DEBUG stderr=
2020-01-17T10:25:53Z DEBUG Restart of dirsrv@HS2-VDC-CORP-HOMESEND-COM.service complete
2020-01-17T10:25:53Z DEBUG Created connection context.ldap2_139829518113296
2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache url=ldap://server2.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c95da8320>
2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId.
2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Added replica config cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG No update to cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config necessary
2020-01-17T10:25:54Z DEBUG Waiting for replication (ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket) cn=meToserver2.domain.com,cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config (objectclass=*)
2020-01-17T10:25:54Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': ['meToserver2.domain.com'], u'objectClass': ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain,dc=com'], u'nsDS5ReplicaHost': ['server2.domain.com'], u'nsds5replicaLastUpdateStatus': ['Error (0) No replication sessions started since server startup'], u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to server2.domain.com'], u'nsds5replicareapactive': ['0'], u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]
Hi,
can you also paste the lines that contain the install error?
On the live master, there is a strange behavior also:
It seems the ldap is like in read only mode. For exemple, if I reset the password of an account, I don’t have any error but nothing happened.
I have also those errors on this server:
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.102642397 +0100] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 2711289715, limit - 86400
Are your servers synchronized (either with ntpd or chronyd)? Maybe the time is different and prevents correct replication.
flo
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100 +0100] - WARN - NSMMReplicationPlugin - replica_generate_next_csn - opcsn=5e21d27e000000050000 <= basecsn=ffbcd1f1522600040000, adjusted opcsn=5e21d27e522700050000
But we don’t have any replication because no other servers:
# ipa-replica-manage list
server2.domain.com: master
# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
server2.domain.com:389: 5
Certificate Server Replica Update Vectors:
server2.domain.com:389: 6
# ipa topologysuffix-find
2 topology suffixes matched
Suffix name: ca
Managed LDAP suffix DN: o=ipaca
Suffix name: domain
Managed LDAP suffix DN: dc=domain,dc=com
Number of entries returned 2
# ipa topologysegment-find
Suffix name: domain
0 segments matched
Number of entries returned 0
I really don’t know what happened here. Could you help us on that ?
Best regards,
Damien
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
can you also paste the lines that contain the install error?
The command I typed is this one: ipa-replica-install -U --principal admin --admin-password $admin_password --domain domain.com --server server2.domain.com --setup-ca --setup-dns --no-forwarders --forward-policy=first --no-dnssec-validation --allow-zone-overlap --reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join
Are your servers synchronized (either with ntpd or chronyd)?
Yes they are correctly synchronized to 2 another ntp servers in our platform that are synchronized to the external ntp servers.
Damien
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: vendredi 17 janvier 2020 17:08 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Damien Bras damien.bras@homesend.com Subject: Re: [Freeipa-users] FreeIPA ipa-replica-install hangs on "No status yet" during the first replication
On 1/17/20 4:32 PM, Damien Bras via FreeIPA-users wrote:
Hi,
During the installation of one of our FreeIPA replica (with ipa-replica-install), the process hangs on "No status yet".
Our domain is in domain level 1.
It seems that the script is waiting for an attribute nsds5ReplicaLastInitStatus.
The master server is up & running and we want to have a multimaster environment.
We don't find any error related to the replication process in the log.
The version installed: 4.6.5-11.0.1.el7_7.3
First, the ipa client is correctly installed on the server. Then we use the comment ipa-replica-install to promote it as IPA server with:
ipa-replica-install -U --principal admin --admin-password $admin_password --domain domain.com --server server2.domain.com --setup-ca --setup-dns --no-forwarders --forward-policy=first --no-dnssec-validation --allow-zone-overlap --reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join
In the ipareplica-install.log we just have this:
…
2020-01-17T10:25:46Z DEBUG [28/41]: setting up initial replication
2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248>
2020-01-17T10:25:47Z DEBUG Destroyed connection context.ldap2_139829518113296
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload
2020-01-17T10:25:47Z DEBUG Process finished, return code=0
2020-01-17T10:25:47Z DEBUG stdout=
2020-01-17T10:25:47Z DEBUG stderr=
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart dirsrv@DOMAIN-COM.service
2020-01-17T10:25:53Z DEBUG Process finished, return code=0
2020-01-17T10:25:53Z DEBUG stdout=
2020-01-17T10:25:53Z DEBUG stderr=
2020-01-17T10:25:53Z DEBUG Restart of dirsrv@HS2-VDC-CORP-HOMESEND-COM.service complete
2020-01-17T10:25:53Z DEBUG Created connection context.ldap2_139829518113296
2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache url=ldap://server2.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c95da8320>
2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId.
2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Added replica config cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG No update to cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config necessary
2020-01-17T10:25:54Z DEBUG Waiting for replication (ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket) cn=meToserver2.domain.com,cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config (objectclass=*)
2020-01-17T10:25:54Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc =domain,dc=com,cn=mapping tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': ['meToserver2.domain.com'], u'objectClass': ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain,dc=com'], u'nsDS5ReplicaHost': ['server2.domain.com'], u'nsds5replicaLastUpdateStatus': ['Error (0) No replication sessions started since server startup'], u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to server2.domain.com'], u'nsds5replicareapactive': ['0'], u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]
Hi,
can you also paste the lines that contain the install error?
On the live master, there is a strange behavior also:
It seems the ldap is like in read only mode. For exemple, if I reset the password of an account, I don’t have any error but nothing happened.
I have also those errors on this server:
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.102642397 +0100] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 2711289715, limit - 86400
Are your servers synchronized (either with ntpd or chronyd)? Maybe the time is different and prevents correct replication.
flo
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100 +0100] - WARN - NSMMReplicationPlugin - replica_generate_next_csn - opcsn=5e21d27e000000050000 <= basecsn=ffbcd1f1522600040000, adjusted opcsn=5e21d27e522700050000
But we don’t have any replication because no other servers:
# ipa-replica-manage list
server2.domain.com: master
# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
server2.domain.com:389: 5
Certificate Server Replica Update Vectors:
server2.domain.com:389: 6
# ipa topologysuffix-find
2 topology suffixes matched
Suffix name: ca
Managed LDAP suffix DN: o=ipaca
Suffix name: domain
Managed LDAP suffix DN: dc=domain,dc=com
Number of entries returned 2
# ipa topologysegment-find
Suffix name: domain
0 segments matched
Number of entries returned 0
I really don’t know what happened here. Could you help us on that ?
Best regards,
Damien
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
freeipa-users@lists.fedorahosted.org