Hi,

During the installation of one of our FreeIPA replica (with ipa-replica-install), the process hangs on "No status yet".

Our domain is in domain level 1. It seems that the script is waiting for an attribute nsds5ReplicaLastInitStatus.

The master server is up & running and we want to have a multimaster environment.

We don't find any error related to the replication process in the log.

The version installed: 4.6.5-11.0.1.el7_7.3

First, the ipa client is correctly installed on the server. Then we use the comment ipa-replica-install to promote it as IPA server with: ipa-replica-install -U --principal admin --admin-password $admin_password --domain domain.com --server server2.domain.com --setup-ca --setup-dns --no-forwarders --forward-policy=first --no-dnssec-validation --allow-zone-overlap --reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join

In the ipareplica-install.log we just have this: … 2020-01-17T10:25:46Z DEBUG [28/41]: setting up initial replication 2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248> 2020-01-17T10:25:47Z DEBUG Destroyed connection context.ldap2_139829518113296 2020-01-17T10:25:47Z DEBUG Starting external process 2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload 2020-01-17T10:25:47Z DEBUG Process finished, return code=0 2020-01-17T10:25:47Z DEBUG stdout= 2020-01-17T10:25:47Z DEBUG stderr= 2020-01-17T10:25:47Z DEBUG Starting external process 2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart dirsrv@DOMAIN-COM.service 2020-01-17T10:25:53Z DEBUG Process finished, return code=0 2020-01-17T10:25:53Z DEBUG stdout= 2020-01-17T10:25:53Z DEBUG stderr= 2020-01-17T10:25:53Z DEBUG Restart of dirsrv@HS2-VDC-CORP-HOMESEND-COM.service complete 2020-01-17T10:25:53Z DEBUG Created connection context.ldap2_139829518113296 2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache url=ldap://server2.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c95da8320> 2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId. 2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config 2020-01-17T10:25:54Z DEBUG Added replica config cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config 2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config 2020-01-17T10:25:54Z DEBUG No update to cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config necessary 2020-01-17T10:25:54Z DEBUG Waiting for replication (ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket) cn=meToserver2.domain.com,cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config (objectclass=*) 2020-01-17T10:25:54Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc=domain,dc=com,cn=mapping tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': ['meToserver2.domain.com'], u'objectClass': ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain,dc=com'], u'nsDS5ReplicaHost': ['server2.domain.com'], u'nsds5replicaLastUpdateStatus': ['Error (0) No replication sessions started since server startup'], u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to server2.domain.com'], u'nsds5replicareapactive': ['0'], u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]

On the live master, there is a strange behavior also: It seems the ldap is like in read only mode. For exemple, if I reset the password of an account, I don’t have any error but nothing happened. I have also those errors on this server: Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.102642397 +0100] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 2711289715, limit - 86400 Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100 +0100] - WARN - NSMMReplicationPlugin - replica_generate_next_csn - opcsn=5e21d27e000000050000 <= basecsn=ffbcd1f1522600040000, adjusted opcsn=5e21d27e522700050000

But we don’t have any replication because no other servers: # ipa-replica-manage list server2.domain.com: master # ipa-replica-manage list-ruv Directory Manager password:

Replica Update Vectors: server2.domain.com:389: 5 Certificate Server Replica Update Vectors: server2.domain.com:389: 6 # ipa topologysuffix-find --------------------------- 2 topology suffixes matched --------------------------- Suffix name: ca Managed LDAP suffix DN: o=ipaca

Suffix name: domain Managed LDAP suffix DN: dc=domain,dc=com ---------------------------- Number of entries returned 2 ---------------------------- # ipa topologysegment-find Suffix name: domain ------------------ 0 segments matched ------------------ ---------------------------- Number of entries returned 0 ----------------------------

I really don’t know what happened here. Could you help us on that ?

Best regards, Damien