Ricardo Mendes via FreeIPA-users wrote:
Hi Rob, once again thank you for your time and effort following up on
this.
First and regarding the --skip-conncheck the answer is no, I'm not using skip
conncheck.
The process I'm using to add the replica is:
1. ipa-client-install
2. on ns1 add ns3 to ipaservers group
3. ipa-replica-install --setup-ca --setup-dns --forwarder=208.67.222.222
(we use OpenDNS as global forwarder with forward only policy)
Regarding the version error, I investigated a little further to discover that ns2 was
having a replication disagreement with ns1, so I ran `ipa
topologysegment-reinitialize' and fixed that.
After doing so I restarted the process. I came across the same error. I also checked the
logs for dirsrv again. I'm putting the results on pastebin I believe it will be easier
to read, hope you don't mind.
from NS3 ipareplica-install:
https://pastebin.com/Ymehai80
from dirsrv logs:
https://pastebin.com/PEVraXL4
I included the log from all the servers.
It still looks like there are replication issues. I think I'd try the
install again with 389-ds plugin-level debugging enabled. This is going
to spam your log but it will provide more information on what the DNA
plugin is doing.
ipa-server-install --<options> --dirsrv-config-file=update.ldif
Where update.ldif consists of:
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 65536
The log level comes from
https://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#troubleshooting
These values are additive so if you want to add replication debugging as
well add 8192.
I have the feeling that it is getting no remote values at all hence it
has no range to apply. But this should confirm it.
rob